- 2024-08-27
+ 2024-08-27
diff --git a/about/license/index.html b/about/license/index.html
index 68be602a0..93a38ac12 100644
--- a/about/license/index.html
+++ b/about/license/index.html
@@ -1137,7 +1137,7 @@ License
- 2024-08-27
+ 2024-08-27
diff --git a/about/tags/index.html b/about/tags/index.html
index 182421f0b..27e010bb3 100644
--- a/about/tags/index.html
+++ b/about/tags/index.html
@@ -1355,7 +1355,7 @@
- 2024-08-27
+ 2024-08-27
diff --git a/about_csf/index.html b/about_csf/index.html
index d1874fc2b..82d06ca5a 100644
--- a/about_csf/index.html
+++ b/about_csf/index.html
@@ -1223,7 +1223,7 @@ About ConfigServer Firewall
- 2024-08-27
+ 2024-08-27
diff --git a/about_patcher/index.html b/about_patcher/index.html
index c665cec3e..4e70f72c3 100644
--- a/about_patcher/index.html
+++ b/about_patcher/index.html
@@ -1200,7 +1200,7 @@ How Patcher Works
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/commands/index.html b/cheatsheet/commands/index.html
index 1b221749c..8eb7b1640 100644
--- a/cheatsheet/commands/index.html
+++ b/cheatsheet/commands/index.html
@@ -2335,7 +2335,7 @@ View Graphs
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/conf/index.html b/cheatsheet/conf/index.html
index 83bf1e79c..34d545dfb 100644
--- a/cheatsheet/conf/index.html
+++ b/cheatsheet/conf/index.html
@@ -4312,7 +4312,7 @@ Clean Version
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/structure/index.html b/cheatsheet/structure/index.html
index 5b27bf03e..4bffc5739 100644
--- a/cheatsheet/structure/index.html
+++ b/cheatsheet/structure/index.html
@@ -1343,7 +1343,7 @@ Patcher Files
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/troubleshooting/index.html b/cheatsheet/troubleshooting/index.html
index 7a62bf0b6..95cfed5bf 100644
--- a/cheatsheet/troubleshooting/index.html
+++ b/cheatsheet/troubleshooting/index.html
@@ -1248,7 +1248,7 @@
- 2024-08-27
+ 2024-08-27
diff --git a/csf/configure/index.html b/csf/configure/index.html
index 07701ff0a..57b6a2b19 100644
--- a/csf/configure/index.html
+++ b/csf/configure/index.html
@@ -1375,7 +1375,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/install/index.html b/csf/install/index.html
index 9c2b9f539..113d7e10c 100644
--- a/csf/install/index.html
+++ b/csf/install/index.html
@@ -1384,7 +1384,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/testing/index.html b/csf/testing/index.html
index c2244a2e9..7d65a0c67 100644
--- a/csf/testing/index.html
+++ b/csf/testing/index.html
@@ -1143,7 +1143,7 @@ Install CSF: Testing
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/authentik/index.html b/csf/tutorials/authentik/index.html
index ce240235a..87da6fc45 100644
--- a/csf/tutorials/authentik/index.html
+++ b/csf/tutorials/authentik/index.html
@@ -1160,13 +1160,15 @@ Authentik Integration
-Add the following parameters:
-- Name: CSF (ConfigServer Firewall)
-- Slug: csf
-- Group: Administrative
-- Provider: CSF ForwardAuth
-- Backchannel Providers: None
-- Policy Engine Mode: any
+Add the following parameters:
+
+- Name:
CSF (ConfigServer Firewall)
+- Slug:
csf
+- Group:
Administrative
+- Provider:
CSF ForwardAuth
+- Backchannel Providers:
None
+- Policy Engine Mode:
any
+
@@ -1209,7 +1211,7 @@ Authentik Integration
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/geographical/index.html b/csf/tutorials/geographical/index.html
index edbf1fbc2..fc6458461 100644
--- a/csf/tutorials/geographical/index.html
+++ b/csf/tutorials/geographical/index.html
@@ -1662,7 +1662,7 @@ Restart CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/traefik/index.html b/csf/tutorials/traefik/index.html
index 36691048e..301bca35d 100644
--- a/csf/tutorials/traefik/index.html
+++ b/csf/tutorials/traefik/index.html
@@ -1305,7 +1305,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/uninstall/index.html b/csf/uninstall/index.html
index c8a632173..ae75e3d64 100644
--- a/csf/uninstall/index.html
+++ b/csf/uninstall/index.html
@@ -1145,7 +1145,7 @@ Uninstall CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/webui/index.html b/csf/webui/index.html
index 059909df5..2d1899dfe 100644
--- a/csf/webui/index.html
+++ b/csf/webui/index.html
@@ -1360,7 +1360,7 @@ Step 3: Access and Use Web UI:
- 2024-08-27
+ 2024-08-27
diff --git a/home/index.html b/home/index.html
index 5065ff6ed..d248cd061 100644
--- a/home/index.html
+++ b/home/index.html
@@ -1142,7 +1142,7 @@ ConfigServer Firewall
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/configure/index.html b/patcher/configure/index.html
index 8995a003b..9f955fd53 100644
--- a/patcher/configure/index.html
+++ b/patcher/configure/index.html
@@ -1450,7 +1450,7 @@ OpenVPN
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/download/index.html b/patcher/download/index.html
index 72bf37d28..70766ea9f 100644
--- a/patcher/download/index.html
+++ b/patcher/download/index.html
@@ -1309,7 +1309,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/plugins/index.html b/plugins/index.html
index 0a3a972af..99d16f25b 100644
--- a/plugins/index.html
+++ b/plugins/index.html
@@ -1096,7 +1096,7 @@ Index
- 2024-08-27
+ 2024-08-27
diff --git a/search/search_index.json b/search/search_index.json
index cd008b01b..b3cc41bd3 100644
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters: - Name: CSF (ConfigServer Firewall) - Slug: csf - Group: Administrative - Provider: CSF ForwardAuth - Backchannel Providers: None - Policy Engine Mode: any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
+{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters:
- Name:
CSF (ConfigServer Firewall) - Slug:
csf - Group:
Administrative - Provider:
CSF ForwardAuth - Backchannel Providers:
None - Policy Engine Mode:
any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
- 2024-08-27
+ 2024-08-27
diff --git a/about_csf/index.html b/about_csf/index.html
index d1874fc2b..82d06ca5a 100644
--- a/about_csf/index.html
+++ b/about_csf/index.html
@@ -1223,7 +1223,7 @@ About ConfigServer Firewall
- 2024-08-27
+ 2024-08-27
diff --git a/about_patcher/index.html b/about_patcher/index.html
index c665cec3e..4e70f72c3 100644
--- a/about_patcher/index.html
+++ b/about_patcher/index.html
@@ -1200,7 +1200,7 @@ How Patcher Works
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/commands/index.html b/cheatsheet/commands/index.html
index 1b221749c..8eb7b1640 100644
--- a/cheatsheet/commands/index.html
+++ b/cheatsheet/commands/index.html
@@ -2335,7 +2335,7 @@ View Graphs
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/conf/index.html b/cheatsheet/conf/index.html
index 83bf1e79c..34d545dfb 100644
--- a/cheatsheet/conf/index.html
+++ b/cheatsheet/conf/index.html
@@ -4312,7 +4312,7 @@ Clean Version
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/structure/index.html b/cheatsheet/structure/index.html
index 5b27bf03e..4bffc5739 100644
--- a/cheatsheet/structure/index.html
+++ b/cheatsheet/structure/index.html
@@ -1343,7 +1343,7 @@ Patcher Files
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/troubleshooting/index.html b/cheatsheet/troubleshooting/index.html
index 7a62bf0b6..95cfed5bf 100644
--- a/cheatsheet/troubleshooting/index.html
+++ b/cheatsheet/troubleshooting/index.html
@@ -1248,7 +1248,7 @@
- 2024-08-27
+ 2024-08-27
diff --git a/csf/configure/index.html b/csf/configure/index.html
index 07701ff0a..57b6a2b19 100644
--- a/csf/configure/index.html
+++ b/csf/configure/index.html
@@ -1375,7 +1375,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/install/index.html b/csf/install/index.html
index 9c2b9f539..113d7e10c 100644
--- a/csf/install/index.html
+++ b/csf/install/index.html
@@ -1384,7 +1384,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/testing/index.html b/csf/testing/index.html
index c2244a2e9..7d65a0c67 100644
--- a/csf/testing/index.html
+++ b/csf/testing/index.html
@@ -1143,7 +1143,7 @@ Install CSF: Testing
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/authentik/index.html b/csf/tutorials/authentik/index.html
index ce240235a..87da6fc45 100644
--- a/csf/tutorials/authentik/index.html
+++ b/csf/tutorials/authentik/index.html
@@ -1160,13 +1160,15 @@ Authentik Integration
-Add the following parameters:
-- Name: CSF (ConfigServer Firewall)
-- Slug: csf
-- Group: Administrative
-- Provider: CSF ForwardAuth
-- Backchannel Providers: None
-- Policy Engine Mode: any
+Add the following parameters:
+
+- Name:
CSF (ConfigServer Firewall)
+- Slug:
csf
+- Group:
Administrative
+- Provider:
CSF ForwardAuth
+- Backchannel Providers:
None
+- Policy Engine Mode:
any
+
@@ -1209,7 +1211,7 @@ Authentik Integration
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/geographical/index.html b/csf/tutorials/geographical/index.html
index edbf1fbc2..fc6458461 100644
--- a/csf/tutorials/geographical/index.html
+++ b/csf/tutorials/geographical/index.html
@@ -1662,7 +1662,7 @@ Restart CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/traefik/index.html b/csf/tutorials/traefik/index.html
index 36691048e..301bca35d 100644
--- a/csf/tutorials/traefik/index.html
+++ b/csf/tutorials/traefik/index.html
@@ -1305,7 +1305,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/uninstall/index.html b/csf/uninstall/index.html
index c8a632173..ae75e3d64 100644
--- a/csf/uninstall/index.html
+++ b/csf/uninstall/index.html
@@ -1145,7 +1145,7 @@ Uninstall CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/webui/index.html b/csf/webui/index.html
index 059909df5..2d1899dfe 100644
--- a/csf/webui/index.html
+++ b/csf/webui/index.html
@@ -1360,7 +1360,7 @@ Step 3: Access and Use Web UI:
- 2024-08-27
+ 2024-08-27
diff --git a/home/index.html b/home/index.html
index 5065ff6ed..d248cd061 100644
--- a/home/index.html
+++ b/home/index.html
@@ -1142,7 +1142,7 @@ ConfigServer Firewall
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/configure/index.html b/patcher/configure/index.html
index 8995a003b..9f955fd53 100644
--- a/patcher/configure/index.html
+++ b/patcher/configure/index.html
@@ -1450,7 +1450,7 @@ OpenVPN
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/download/index.html b/patcher/download/index.html
index 72bf37d28..70766ea9f 100644
--- a/patcher/download/index.html
+++ b/patcher/download/index.html
@@ -1309,7 +1309,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/plugins/index.html b/plugins/index.html
index 0a3a972af..99d16f25b 100644
--- a/plugins/index.html
+++ b/plugins/index.html
@@ -1096,7 +1096,7 @@ Index
- 2024-08-27
+ 2024-08-27
diff --git a/search/search_index.json b/search/search_index.json
index cd008b01b..b3cc41bd3 100644
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters: - Name: CSF (ConfigServer Firewall) - Slug: csf - Group: Administrative - Provider: CSF ForwardAuth - Backchannel Providers: None - Policy Engine Mode: any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
+{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters:
- Name:
CSF (ConfigServer Firewall) - Slug:
csf - Group:
Administrative - Provider:
CSF ForwardAuth - Backchannel Providers:
None - Policy Engine Mode:
any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
How Patcher Works
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/commands/index.html b/cheatsheet/commands/index.html
index 1b221749c..8eb7b1640 100644
--- a/cheatsheet/commands/index.html
+++ b/cheatsheet/commands/index.html
@@ -2335,7 +2335,7 @@ View Graphs
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/conf/index.html b/cheatsheet/conf/index.html
index 83bf1e79c..34d545dfb 100644
--- a/cheatsheet/conf/index.html
+++ b/cheatsheet/conf/index.html
@@ -4312,7 +4312,7 @@ Clean Version
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/structure/index.html b/cheatsheet/structure/index.html
index 5b27bf03e..4bffc5739 100644
--- a/cheatsheet/structure/index.html
+++ b/cheatsheet/structure/index.html
@@ -1343,7 +1343,7 @@ Patcher Files
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/troubleshooting/index.html b/cheatsheet/troubleshooting/index.html
index 7a62bf0b6..95cfed5bf 100644
--- a/cheatsheet/troubleshooting/index.html
+++ b/cheatsheet/troubleshooting/index.html
@@ -1248,7 +1248,7 @@
- 2024-08-27
+ 2024-08-27
diff --git a/csf/configure/index.html b/csf/configure/index.html
index 07701ff0a..57b6a2b19 100644
--- a/csf/configure/index.html
+++ b/csf/configure/index.html
@@ -1375,7 +1375,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/install/index.html b/csf/install/index.html
index 9c2b9f539..113d7e10c 100644
--- a/csf/install/index.html
+++ b/csf/install/index.html
@@ -1384,7 +1384,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/testing/index.html b/csf/testing/index.html
index c2244a2e9..7d65a0c67 100644
--- a/csf/testing/index.html
+++ b/csf/testing/index.html
@@ -1143,7 +1143,7 @@ Install CSF: Testing
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/authentik/index.html b/csf/tutorials/authentik/index.html
index ce240235a..87da6fc45 100644
--- a/csf/tutorials/authentik/index.html
+++ b/csf/tutorials/authentik/index.html
@@ -1160,13 +1160,15 @@ Authentik Integration
-Add the following parameters:
-- Name: CSF (ConfigServer Firewall)
-- Slug: csf
-- Group: Administrative
-- Provider: CSF ForwardAuth
-- Backchannel Providers: None
-- Policy Engine Mode: any
+Add the following parameters:
+
+- Name:
CSF (ConfigServer Firewall)
+- Slug:
csf
+- Group:
Administrative
+- Provider:
CSF ForwardAuth
+- Backchannel Providers:
None
+- Policy Engine Mode:
any
+
@@ -1209,7 +1211,7 @@ Authentik Integration
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/geographical/index.html b/csf/tutorials/geographical/index.html
index edbf1fbc2..fc6458461 100644
--- a/csf/tutorials/geographical/index.html
+++ b/csf/tutorials/geographical/index.html
@@ -1662,7 +1662,7 @@ Restart CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/traefik/index.html b/csf/tutorials/traefik/index.html
index 36691048e..301bca35d 100644
--- a/csf/tutorials/traefik/index.html
+++ b/csf/tutorials/traefik/index.html
@@ -1305,7 +1305,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/uninstall/index.html b/csf/uninstall/index.html
index c8a632173..ae75e3d64 100644
--- a/csf/uninstall/index.html
+++ b/csf/uninstall/index.html
@@ -1145,7 +1145,7 @@ Uninstall CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/webui/index.html b/csf/webui/index.html
index 059909df5..2d1899dfe 100644
--- a/csf/webui/index.html
+++ b/csf/webui/index.html
@@ -1360,7 +1360,7 @@ Step 3: Access and Use Web UI:
- 2024-08-27
+ 2024-08-27
diff --git a/home/index.html b/home/index.html
index 5065ff6ed..d248cd061 100644
--- a/home/index.html
+++ b/home/index.html
@@ -1142,7 +1142,7 @@ ConfigServer Firewall
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/configure/index.html b/patcher/configure/index.html
index 8995a003b..9f955fd53 100644
--- a/patcher/configure/index.html
+++ b/patcher/configure/index.html
@@ -1450,7 +1450,7 @@ OpenVPN
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/download/index.html b/patcher/download/index.html
index 72bf37d28..70766ea9f 100644
--- a/patcher/download/index.html
+++ b/patcher/download/index.html
@@ -1309,7 +1309,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/plugins/index.html b/plugins/index.html
index 0a3a972af..99d16f25b 100644
--- a/plugins/index.html
+++ b/plugins/index.html
@@ -1096,7 +1096,7 @@ Index
- 2024-08-27
+ 2024-08-27
diff --git a/search/search_index.json b/search/search_index.json
index cd008b01b..b3cc41bd3 100644
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters: - Name: CSF (ConfigServer Firewall) - Slug: csf - Group: Administrative - Provider: CSF ForwardAuth - Backchannel Providers: None - Policy Engine Mode: any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
+{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters:
- Name:
CSF (ConfigServer Firewall) - Slug:
csf - Group:
Administrative - Provider:
CSF ForwardAuth - Backchannel Providers:
None - Policy Engine Mode:
any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
Clean Version
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/structure/index.html b/cheatsheet/structure/index.html
index 5b27bf03e..4bffc5739 100644
--- a/cheatsheet/structure/index.html
+++ b/cheatsheet/structure/index.html
@@ -1343,7 +1343,7 @@ Patcher Files
- 2024-08-27
+ 2024-08-27
diff --git a/cheatsheet/troubleshooting/index.html b/cheatsheet/troubleshooting/index.html
index 7a62bf0b6..95cfed5bf 100644
--- a/cheatsheet/troubleshooting/index.html
+++ b/cheatsheet/troubleshooting/index.html
@@ -1248,7 +1248,7 @@
- 2024-08-27
+ 2024-08-27
diff --git a/csf/configure/index.html b/csf/configure/index.html
index 07701ff0a..57b6a2b19 100644
--- a/csf/configure/index.html
+++ b/csf/configure/index.html
@@ -1375,7 +1375,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/install/index.html b/csf/install/index.html
index 9c2b9f539..113d7e10c 100644
--- a/csf/install/index.html
+++ b/csf/install/index.html
@@ -1384,7 +1384,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/testing/index.html b/csf/testing/index.html
index c2244a2e9..7d65a0c67 100644
--- a/csf/testing/index.html
+++ b/csf/testing/index.html
@@ -1143,7 +1143,7 @@ Install CSF: Testing
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/authentik/index.html b/csf/tutorials/authentik/index.html
index ce240235a..87da6fc45 100644
--- a/csf/tutorials/authentik/index.html
+++ b/csf/tutorials/authentik/index.html
@@ -1160,13 +1160,15 @@ Authentik Integration
-Add the following parameters:
-- Name: CSF (ConfigServer Firewall)
-- Slug: csf
-- Group: Administrative
-- Provider: CSF ForwardAuth
-- Backchannel Providers: None
-- Policy Engine Mode: any
+Add the following parameters:
+
+- Name:
CSF (ConfigServer Firewall)
+- Slug:
csf
+- Group:
Administrative
+- Provider:
CSF ForwardAuth
+- Backchannel Providers:
None
+- Policy Engine Mode:
any
+
@@ -1209,7 +1211,7 @@ Authentik Integration
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/geographical/index.html b/csf/tutorials/geographical/index.html
index edbf1fbc2..fc6458461 100644
--- a/csf/tutorials/geographical/index.html
+++ b/csf/tutorials/geographical/index.html
@@ -1662,7 +1662,7 @@ Restart CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/traefik/index.html b/csf/tutorials/traefik/index.html
index 36691048e..301bca35d 100644
--- a/csf/tutorials/traefik/index.html
+++ b/csf/tutorials/traefik/index.html
@@ -1305,7 +1305,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/uninstall/index.html b/csf/uninstall/index.html
index c8a632173..ae75e3d64 100644
--- a/csf/uninstall/index.html
+++ b/csf/uninstall/index.html
@@ -1145,7 +1145,7 @@ Uninstall CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/webui/index.html b/csf/webui/index.html
index 059909df5..2d1899dfe 100644
--- a/csf/webui/index.html
+++ b/csf/webui/index.html
@@ -1360,7 +1360,7 @@ Step 3: Access and Use Web UI:
- 2024-08-27
+ 2024-08-27
diff --git a/home/index.html b/home/index.html
index 5065ff6ed..d248cd061 100644
--- a/home/index.html
+++ b/home/index.html
@@ -1142,7 +1142,7 @@ ConfigServer Firewall
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/configure/index.html b/patcher/configure/index.html
index 8995a003b..9f955fd53 100644
--- a/patcher/configure/index.html
+++ b/patcher/configure/index.html
@@ -1450,7 +1450,7 @@ OpenVPN
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/download/index.html b/patcher/download/index.html
index 72bf37d28..70766ea9f 100644
--- a/patcher/download/index.html
+++ b/patcher/download/index.html
@@ -1309,7 +1309,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/plugins/index.html b/plugins/index.html
index 0a3a972af..99d16f25b 100644
--- a/plugins/index.html
+++ b/plugins/index.html
@@ -1096,7 +1096,7 @@ Index
- 2024-08-27
+ 2024-08-27
diff --git a/search/search_index.json b/search/search_index.json
index cd008b01b..b3cc41bd3 100644
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters: - Name: CSF (ConfigServer Firewall) - Slug: csf - Group: Administrative - Provider: CSF ForwardAuth - Backchannel Providers: None - Policy Engine Mode: any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
+{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters:
- Name:
CSF (ConfigServer Firewall) - Slug:
csf - Group:
Administrative - Provider:
CSF ForwardAuth - Backchannel Providers:
None - Policy Engine Mode:
any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
- 2024-08-27
+ 2024-08-27
diff --git a/csf/configure/index.html b/csf/configure/index.html
index 07701ff0a..57b6a2b19 100644
--- a/csf/configure/index.html
+++ b/csf/configure/index.html
@@ -1375,7 +1375,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/install/index.html b/csf/install/index.html
index 9c2b9f539..113d7e10c 100644
--- a/csf/install/index.html
+++ b/csf/install/index.html
@@ -1384,7 +1384,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/testing/index.html b/csf/testing/index.html
index c2244a2e9..7d65a0c67 100644
--- a/csf/testing/index.html
+++ b/csf/testing/index.html
@@ -1143,7 +1143,7 @@ Install CSF: Testing
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/authentik/index.html b/csf/tutorials/authentik/index.html
index ce240235a..87da6fc45 100644
--- a/csf/tutorials/authentik/index.html
+++ b/csf/tutorials/authentik/index.html
@@ -1160,13 +1160,15 @@ Authentik Integration
-Add the following parameters:
-- Name: CSF (ConfigServer Firewall)
-- Slug: csf
-- Group: Administrative
-- Provider: CSF ForwardAuth
-- Backchannel Providers: None
-- Policy Engine Mode: any
+Add the following parameters:
+
+- Name:
CSF (ConfigServer Firewall)
+- Slug:
csf
+- Group:
Administrative
+- Provider:
CSF ForwardAuth
+- Backchannel Providers:
None
+- Policy Engine Mode:
any
+
@@ -1209,7 +1211,7 @@ Authentik Integration
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/geographical/index.html b/csf/tutorials/geographical/index.html
index edbf1fbc2..fc6458461 100644
--- a/csf/tutorials/geographical/index.html
+++ b/csf/tutorials/geographical/index.html
@@ -1662,7 +1662,7 @@ Restart CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/traefik/index.html b/csf/tutorials/traefik/index.html
index 36691048e..301bca35d 100644
--- a/csf/tutorials/traefik/index.html
+++ b/csf/tutorials/traefik/index.html
@@ -1305,7 +1305,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/uninstall/index.html b/csf/uninstall/index.html
index c8a632173..ae75e3d64 100644
--- a/csf/uninstall/index.html
+++ b/csf/uninstall/index.html
@@ -1145,7 +1145,7 @@ Uninstall CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/webui/index.html b/csf/webui/index.html
index 059909df5..2d1899dfe 100644
--- a/csf/webui/index.html
+++ b/csf/webui/index.html
@@ -1360,7 +1360,7 @@ Step 3: Access and Use Web UI:
- 2024-08-27
+ 2024-08-27
diff --git a/home/index.html b/home/index.html
index 5065ff6ed..d248cd061 100644
--- a/home/index.html
+++ b/home/index.html
@@ -1142,7 +1142,7 @@ ConfigServer Firewall
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/configure/index.html b/patcher/configure/index.html
index 8995a003b..9f955fd53 100644
--- a/patcher/configure/index.html
+++ b/patcher/configure/index.html
@@ -1450,7 +1450,7 @@ OpenVPN
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/download/index.html b/patcher/download/index.html
index 72bf37d28..70766ea9f 100644
--- a/patcher/download/index.html
+++ b/patcher/download/index.html
@@ -1309,7 +1309,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/plugins/index.html b/plugins/index.html
index 0a3a972af..99d16f25b 100644
--- a/plugins/index.html
+++ b/plugins/index.html
@@ -1096,7 +1096,7 @@ Index
- 2024-08-27
+ 2024-08-27
diff --git a/search/search_index.json b/search/search_index.json
index cd008b01b..b3cc41bd3 100644
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters: - Name: CSF (ConfigServer Firewall) - Slug: csf - Group: Administrative - Provider: CSF ForwardAuth - Backchannel Providers: None - Policy Engine Mode: any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
+{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters:
- Name:
CSF (ConfigServer Firewall) - Slug:
csf - Group:
Administrative - Provider:
CSF ForwardAuth - Backchannel Providers:
None - Policy Engine Mode:
any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/testing/index.html b/csf/testing/index.html
index c2244a2e9..7d65a0c67 100644
--- a/csf/testing/index.html
+++ b/csf/testing/index.html
@@ -1143,7 +1143,7 @@ Install CSF: Testing
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/authentik/index.html b/csf/tutorials/authentik/index.html
index ce240235a..87da6fc45 100644
--- a/csf/tutorials/authentik/index.html
+++ b/csf/tutorials/authentik/index.html
@@ -1160,13 +1160,15 @@ Authentik Integration
-Add the following parameters:
-- Name: CSF (ConfigServer Firewall)
-- Slug: csf
-- Group: Administrative
-- Provider: CSF ForwardAuth
-- Backchannel Providers: None
-- Policy Engine Mode: any
+Add the following parameters:
+
+- Name:
CSF (ConfigServer Firewall)
+- Slug:
csf
+- Group:
Administrative
+- Provider:
CSF ForwardAuth
+- Backchannel Providers:
None
+- Policy Engine Mode:
any
+
@@ -1209,7 +1211,7 @@ Authentik Integration
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/geographical/index.html b/csf/tutorials/geographical/index.html
index edbf1fbc2..fc6458461 100644
--- a/csf/tutorials/geographical/index.html
+++ b/csf/tutorials/geographical/index.html
@@ -1662,7 +1662,7 @@ Restart CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/traefik/index.html b/csf/tutorials/traefik/index.html
index 36691048e..301bca35d 100644
--- a/csf/tutorials/traefik/index.html
+++ b/csf/tutorials/traefik/index.html
@@ -1305,7 +1305,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/uninstall/index.html b/csf/uninstall/index.html
index c8a632173..ae75e3d64 100644
--- a/csf/uninstall/index.html
+++ b/csf/uninstall/index.html
@@ -1145,7 +1145,7 @@ Uninstall CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/webui/index.html b/csf/webui/index.html
index 059909df5..2d1899dfe 100644
--- a/csf/webui/index.html
+++ b/csf/webui/index.html
@@ -1360,7 +1360,7 @@ Step 3: Access and Use Web UI:
- 2024-08-27
+ 2024-08-27
diff --git a/home/index.html b/home/index.html
index 5065ff6ed..d248cd061 100644
--- a/home/index.html
+++ b/home/index.html
@@ -1142,7 +1142,7 @@ ConfigServer Firewall
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/configure/index.html b/patcher/configure/index.html
index 8995a003b..9f955fd53 100644
--- a/patcher/configure/index.html
+++ b/patcher/configure/index.html
@@ -1450,7 +1450,7 @@ OpenVPN
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/download/index.html b/patcher/download/index.html
index 72bf37d28..70766ea9f 100644
--- a/patcher/download/index.html
+++ b/patcher/download/index.html
@@ -1309,7 +1309,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/plugins/index.html b/plugins/index.html
index 0a3a972af..99d16f25b 100644
--- a/plugins/index.html
+++ b/plugins/index.html
@@ -1096,7 +1096,7 @@ Index
- 2024-08-27
+ 2024-08-27
diff --git a/search/search_index.json b/search/search_index.json
index cd008b01b..b3cc41bd3 100644
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters: - Name: CSF (ConfigServer Firewall) - Slug: csf - Group: Administrative - Provider: CSF ForwardAuth - Backchannel Providers: None - Policy Engine Mode: any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
+{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters:
- Name:
CSF (ConfigServer Firewall) - Slug:
csf - Group:
Administrative - Provider:
CSF ForwardAuth - Backchannel Providers:
None - Policy Engine Mode:
any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
Authentik Integration
Add the following parameters:
-- Name: CSF (ConfigServer Firewall)
-- Slug: csf
-- Group: Administrative
-- Provider: CSF ForwardAuth
-- Backchannel Providers: None
-- Policy Engine Mode: any
Add the following parameters:
+-
+
- Name:
CSF (ConfigServer Firewall)
+ - Slug:
csf
+ - Group:
Administrative
+ - Provider:
CSF ForwardAuth
+ - Backchannel Providers:
None
+ - Policy Engine Mode:
any
+
Authentik Integration
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/geographical/index.html b/csf/tutorials/geographical/index.html
index edbf1fbc2..fc6458461 100644
--- a/csf/tutorials/geographical/index.html
+++ b/csf/tutorials/geographical/index.html
@@ -1662,7 +1662,7 @@ Restart CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/tutorials/traefik/index.html b/csf/tutorials/traefik/index.html
index 36691048e..301bca35d 100644
--- a/csf/tutorials/traefik/index.html
+++ b/csf/tutorials/traefik/index.html
@@ -1305,7 +1305,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/uninstall/index.html b/csf/uninstall/index.html
index c8a632173..ae75e3d64 100644
--- a/csf/uninstall/index.html
+++ b/csf/uninstall/index.html
@@ -1145,7 +1145,7 @@ Uninstall CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/webui/index.html b/csf/webui/index.html
index 059909df5..2d1899dfe 100644
--- a/csf/webui/index.html
+++ b/csf/webui/index.html
@@ -1360,7 +1360,7 @@ Step 3: Access and Use Web UI:
- 2024-08-27
+ 2024-08-27
diff --git a/home/index.html b/home/index.html
index 5065ff6ed..d248cd061 100644
--- a/home/index.html
+++ b/home/index.html
@@ -1142,7 +1142,7 @@ ConfigServer Firewall
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/configure/index.html b/patcher/configure/index.html
index 8995a003b..9f955fd53 100644
--- a/patcher/configure/index.html
+++ b/patcher/configure/index.html
@@ -1450,7 +1450,7 @@ OpenVPN
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/download/index.html b/patcher/download/index.html
index 72bf37d28..70766ea9f 100644
--- a/patcher/download/index.html
+++ b/patcher/download/index.html
@@ -1309,7 +1309,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/plugins/index.html b/plugins/index.html
index 0a3a972af..99d16f25b 100644
--- a/plugins/index.html
+++ b/plugins/index.html
@@ -1096,7 +1096,7 @@ Index
- 2024-08-27
+ 2024-08-27
diff --git a/search/search_index.json b/search/search_index.json
index cd008b01b..b3cc41bd3 100644
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters: - Name: CSF (ConfigServer Firewall) - Slug: csf - Group: Administrative - Provider: CSF ForwardAuth - Backchannel Providers: None - Policy Engine Mode: any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
+{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters:
- Name:
CSF (ConfigServer Firewall) - Slug:
csf - Group:
Administrative - Provider:
CSF ForwardAuth - Backchannel Providers:
None - Policy Engine Mode:
any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/csf/uninstall/index.html b/csf/uninstall/index.html
index c8a632173..ae75e3d64 100644
--- a/csf/uninstall/index.html
+++ b/csf/uninstall/index.html
@@ -1145,7 +1145,7 @@ Uninstall CSF
- 2024-08-27
+ 2024-08-27
diff --git a/csf/webui/index.html b/csf/webui/index.html
index 059909df5..2d1899dfe 100644
--- a/csf/webui/index.html
+++ b/csf/webui/index.html
@@ -1360,7 +1360,7 @@ Step 3: Access and Use Web UI:
- 2024-08-27
+ 2024-08-27
diff --git a/home/index.html b/home/index.html
index 5065ff6ed..d248cd061 100644
--- a/home/index.html
+++ b/home/index.html
@@ -1142,7 +1142,7 @@ ConfigServer Firewall
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/configure/index.html b/patcher/configure/index.html
index 8995a003b..9f955fd53 100644
--- a/patcher/configure/index.html
+++ b/patcher/configure/index.html
@@ -1450,7 +1450,7 @@ OpenVPN
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/download/index.html b/patcher/download/index.html
index 72bf37d28..70766ea9f 100644
--- a/patcher/download/index.html
+++ b/patcher/download/index.html
@@ -1309,7 +1309,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/plugins/index.html b/plugins/index.html
index 0a3a972af..99d16f25b 100644
--- a/plugins/index.html
+++ b/plugins/index.html
@@ -1096,7 +1096,7 @@ Index
- 2024-08-27
+ 2024-08-27
diff --git a/search/search_index.json b/search/search_index.json
index cd008b01b..b3cc41bd3 100644
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters: - Name: CSF (ConfigServer Firewall) - Slug: csf - Group: Administrative - Provider: CSF ForwardAuth - Backchannel Providers: None - Policy Engine Mode: any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
+{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters:
- Name:
CSF (ConfigServer Firewall) - Slug:
csf - Group:
Administrative - Provider:
CSF ForwardAuth - Backchannel Providers:
None - Policy Engine Mode:
any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
Step 3: Access and Use Web UI:
- 2024-08-27
+ 2024-08-27
diff --git a/home/index.html b/home/index.html
index 5065ff6ed..d248cd061 100644
--- a/home/index.html
+++ b/home/index.html
@@ -1142,7 +1142,7 @@ ConfigServer Firewall
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/configure/index.html b/patcher/configure/index.html
index 8995a003b..9f955fd53 100644
--- a/patcher/configure/index.html
+++ b/patcher/configure/index.html
@@ -1450,7 +1450,7 @@ OpenVPN
- 2024-08-27
+ 2024-08-27
diff --git a/patcher/download/index.html b/patcher/download/index.html
index 72bf37d28..70766ea9f 100644
--- a/patcher/download/index.html
+++ b/patcher/download/index.html
@@ -1309,7 +1309,7 @@ Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/plugins/index.html b/plugins/index.html
index 0a3a972af..99d16f25b 100644
--- a/plugins/index.html
+++ b/plugins/index.html
@@ -1096,7 +1096,7 @@ Index
- 2024-08-27
+ 2024-08-27
diff --git a/search/search_index.json b/search/search_index.json
index cd008b01b..b3cc41bd3 100644
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters: - Name: CSF (ConfigServer Firewall) - Slug: csf - Group: Administrative - Provider: CSF ForwardAuth - Backchannel Providers: None - Policy Engine Mode: any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
+{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters:
- Name:
CSF (ConfigServer Firewall) - Slug:
csf - Group:
Administrative - Provider:
CSF ForwardAuth - Backchannel Providers:
None - Policy Engine Mode:
any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
Next Steps
- 2024-08-27
+ 2024-08-27
diff --git a/plugins/index.html b/plugins/index.html
index 0a3a972af..99d16f25b 100644
--- a/plugins/index.html
+++ b/plugins/index.html
@@ -1096,7 +1096,7 @@ Index
- 2024-08-27
+ 2024-08-27
diff --git a/search/search_index.json b/search/search_index.json
index cd008b01b..b3cc41bd3 100644
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters: - Name: CSF (ConfigServer Firewall) - Slug: csf - Group: Administrative - Provider: CSF ForwardAuth - Backchannel Providers: None - Policy Engine Mode: any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
+{"config": {"lang": ["en"], "separator": "[\\s\\u200b\\-_,:!=\\[\\]()\"`/]+|\\.(?!\\d)|&[lg]t;|(?!\\b)(?=[A-Z][a-z])", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "", "title": "ConfigServer Firewall", "text": "Welcome to the ConfigServer documentation
"}, {"location": "about_csf/", "title": "About ConfigServer Firewall", "text": "ConfigServer Firewall, also known as CSF, is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. CSF provides better security for your server while giving you an advanced, easy to use interface for managing firewall settings. CSF configures your server\u2019s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking email, or loading websites.
ConfigServer Firewall also comes with a service called Login Failure Daemon, or LFD. LFD watches your user activity for excessive login failures which are commonly seen during brute force attacks. If a large number of login failures are seen coming from the same IP address, that IP will immediately be temporarily blocked from all services on your server. These IP blocks will automatically expire, however they can be removed manually through the ConfigServer interface in WebHost Manager. In addition to removing IPs, CSF also allows you to manually whitelist or blacklist IPs in your firewall, as well as real-time monitoring for automatic IP blocks in LFD. Configuration details are covered in Managing Your CSF Firewall.
When installing CSF; you will be provided with two services:
Service Description csf ConfigServer Firewall (csf): SPI iptables firewall which allows you to restrict what is allowed to communicate with your server. lfd Login Failure Daemon (lfd): Process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. A partial list of ConfigServer Firewall features are outlined below.
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin, InterWorx, CentOS Web Panel (CWP), VestaCP, CyberPanel - and Webmin
- Easy upgrade between versions from within the control panel
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it\u2019s non-standard on installation
- Block traffic on unused server IP addresses \u2013 helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour \u2013 for identifying spamming scripts
- Suspicious process reporting \u2013 reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting \u2013 reports potential exploit files in /tmp and similar directories
- Directory and file watching \u2013 reports if a watched directory or a file changes
- Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check \u2013 Performs a basic security and settings check on the server (via cPanel/- DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses \u2013 always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking \u2013 tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) \u2013 the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking \u2013 sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service \u2013 Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking \u2013 Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection \u2013 Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- WHM root access notification (cPanel servers only)
- lfd Clustering \u2013 allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- Quick start csf \u2013 deferred startup by lfd for servers with large block and/or allow lists
- Distributed Login Failure Attack detection
- Temporary IP allows (with TTL)
- IPv6 Support with ip6tables
- Integrated UI \u2013 no need for a separate Control Panel or Apache to use the csf configuration
- Integrated support for cse within the Integrated UI
- cPanel Reseller access to per reseller configurable options Unblock, Deny, Allow and Search IP address blocks
- System Statistics \u2013 Basic graphs showing the performance of the server, e.g. Load Averages, CPU Usage, Memory Usage, etc
- ipset support for large IP lists
- Integrated with the CloudFlare Firewall
- \u2026lots more!
", "tags": ["info"]}, {"location": "about_patcher/", "title": "How Patcher Works", "text": "This section is optional to read. It simply outlines what the patcher does from the time of execution to better explain what will be happening on your systen.
- Download all the files in the
/patch folder to your system. - Set the
install.sh file to be executable. sudo chmod +x install.sh
- Run the
install.sh script sudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Docker patch will first check to ensure you have the following: - Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker* or br-*
- The
OpenVPN patch will first check to ensure you have the following: - Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun* (tun0, tun1, etc) - Must have an outside network adapter named either
eth* or enp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
- If you attempt to run the
install.sh any time after the initial setup: - The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre, csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
", "tags": ["info"]}, {"location": "home/", "title": "Home", "text": "ConfigServer Firewall This documentation is related to the github repository for ConfigServer Firewall; a popular and powerful firewall solution for Linux servers. On top of documentation for the software itself; this repository includes added patches which allow you to seamlessly integrate Docker and OpenVPN server with ConfigServer Firewall so that all of the services can communicate between each other without interruption.
This documentation covers the following:
- Install, Configure & Manage CSF (ConfigServer Firewall)
- Install CSF WebUI interface
- Install patches
- Docker Integration
- OpenVPN Integration
", "tags": ["home"]}, {"location": "about/changelog/", "title": "Changelog", "text": "", "tags": ["changelog"]}, {"location": "about/changelog/#2.0.0", "title": "2.0.0 Aug 07, 2024", "text": " feat: add new patch openvpnfeat: add new command-line arguments: - add
-d, --dev for advanced logging - add
-f, --flush to completely remove iptable rules - add
-r, --report to display dependency stats, app information, etc. - add
-v, --version to display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each release
", "tags": ["changelog"]}, {"location": "about/changelog/#1.0.0", "title": "1.0.0 Jun 06, 2024", "text": " - Initial release
", "tags": ["changelog"]}, {"location": "about/conventions/", "title": "Conventions", "text": "This documentation use some symbols for illustration purposes. Before you read on, please make sure you've made yourself familiar with the following list of conventions:
"}, {"location": "about/conventions/#release-type", "title": "Release Type", "text": "The tag symbol in conjunction with a version number denotes when a specific feature or behavior was added. Make sure you're at least on this version if you want to use it. stable
beta
"}, {"location": "about/conventions/#default", "title": "Controls", "text": "These icons define what type of control a specified setting uses. toggle
textbox
dropdown
button
slider
color wheel
"}, {"location": "about/conventions/#default", "title": "\u2013 Default Value", "text": "This defines what the default value for a setting is. Specified setting has a default value
Specified setting has no default value and is empty
Specified setting is automatically computed by the app
"}, {"location": "about/conventions/#command", "title": "\u2013 Command", "text": "This defines a command Specified setting has a default value
"}, {"location": "about/conventions/#experimental", "title": "\u2013 Experimental", "text": "Anything listed with this icon are features or functionality that are still in development and may change in future versions.
"}, {"location": "about/conventions/#required", "title": "\u2013 Required value", "text": "Items listed with this symbol indicate that they are required to be set.
"}, {"location": "about/conventions/#customization", "title": "\u2013 Customization", "text": "This symbol denotes that the item described is a customization which affects the overall look of the app.
"}, {"location": "about/conventions/#3rd-party", "title": "\u2013 3rd Party", "text": "This symbol denotes that the item described is classified as something that changes the overall functionality of the plugin.
"}, {"location": "about/conventions/#metadata", "title": "\u2013 Metadata property", "text": "This symbol denotes that the item described is a metadata property, which can be used in Markdown documents as part of the front matter definition.
"}, {"location": "about/conventions/#setting", "title": "\u2013 Configurable Setting", "text": "This symbol denotes that an item is configurable by the user
"}, {"location": "about/conventions/#multiple-instances", "title": "\u2013 Multiple instances", "text": "This symbol denotes that the plugin supports multiple instances, i.e, that it can be used multiple times in the plugins setting in mkdocs.yml.
"}, {"location": "about/conventions/#feature", "title": "\u2013 Optional feature", "text": "Most of the features are hidden behind feature flags, which means they must be explicitly enabled via mkdocs.yml. This allows for the existence of potentially orthogonal features.
"}, {"location": "about/conventions/#backers-only", "title": "\u2013 Backers only", "text": "The pumping heart symbol denotes that a specific feature or behavior is only available to backers. Normal users will not have access to this particular item.
"}, {"location": "about/license/", "title": "License", "text": "MIT License
Copyright \u00a9 2024 Aetherinox
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
"}, {"location": "blog/", "title": "Blog", "text": ""}, {"location": "cheatsheet/commands/", "title": "Cheatsheet: Commands", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#disable", "title": "Disable", "text": "-x, --disable
Disable csf and lfd completely
sudo csf -x\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#stop", "title": "Stop", "text": "-f, --stop
Flush/Stop firewall rules (Note: lfd may restart csf)
sudo csf -f\n
stop Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
restart Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#quick-restart", "title": "Quick Restart", "text": "-q, --startq
Quick restart (csf restarted by lfd)
sudo csf -q\n
startq lfd will restart csf within the next 5 seconds\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#force-restart", "title": "Force Restart", "text": "-sf, --startf
Force CLI restart regardless of LFDSTART setting
sudo csf -sf\n
startf Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#restart-all", "title": "Restart All", "text": "-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
restartall Flushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#cluster-restart", "title": "Cluster Restart", "text": "-crs, --crestart
Cluster restart csf and lfd
sudo csf -crs\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#manage-lfd-daemon", "title": "Manage Lfd Daemon", "text": "--lfd [stop|start|restart|status]
Actions to take with the lfd daemon
sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\n
stopstartrestartstatus No output\n
No output\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#check-for-updates", "title": "Check for Updates", "text": "-c, --check
Check for updates to csf but do not upgrade
sudo csf -c\n
Output csf is already at the latest version: v14.20\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update", "title": "Update", "text": "-u, --update
Check for updates to csf and upgrade if available
sudo csf -u\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#update-force", "title": "Update (Force)", "text": "-uf
Force an update of csf whether and upgrade is required or not
sudo csf -uf\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#version", "title": "Version", "text": "-v, --version
Show csf version
sudo csf -v\n
Output csf: v14.20 (generic)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv4", "title": "List Firewall Rules (IPv4)", "text": "-l, --status
List/Show the IPv4 iptables configuration
sudo csf -l\n
Output iptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#list-firewall-rules-ipv6", "title": "List Firewall Rules (IPv6)", "text": "-l6, --status6
List/Show the IPv6 ip6tables configuration
sudo csf -l6\n
Output ip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-allow-list", "title": "Add IP to Allow List", "text": "-a, --add ip [comment]
Allow an IP and add to /etc/csf/csf.allow
sudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\n
Output Adding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-to-allow-list", "title": "Remove IP to Allow List", "text": "-ar, --addrm ip
Remove an IP from /etc/csf/csf.allow and delete rule
sudo csf -ar <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-ip-to-deny-list", "title": "Add IP to Deny List", "text": "-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny
sudo csf -d <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-ip-from-deny-list", "title": "Remove IP from Deny List", "text": "-dr, --denyrm ip
Unblock an IP and remove from /etc/csf/csf.deny
sudo csf -dr <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-all-ips-from-deny-list", "title": "Remove All IPs from Deny List", "text": "-df, --denyf
Remove and unblock all entries in /etc/csf/csf.deny
sudo csf -df\n
Output csf: all entries removed from csf.deny\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#grep-search-for-ip", "title": "Grep Search for IP", "text": "-g, --grep ip
Search the iptables and ip6tables rules for a match (e.g. IP, CIDR, Port Number)
sudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#lookup-ip", "title": "Lookup IP", "text": "-i, --iplookup ip
Lookup IP address geographical information using CC_LOOKUPS setting in /etc/csf/csf.conf
sudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n
Output 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-temp-allowban-list", "title": "View Temp Allow/Ban List", "text": "-t, --temp
Displays the current list of temporary allow and deny IP entries with their TTL and comment
sudo csf -t\n
Output A/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allowban-ip", "title": "Remove Temp Allow/Ban IP", "text": "-tr, --temprm ip
Remove an IP from the temporary IP ban or allow list
sudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-ban-ip", "title": "Remove Temp Ban IP", "text": "-trd, --temprmd ip
Remove an IP from the temporary IP ban list only
sudo csf -trd <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#remove-temp-allow-ip", "title": "Remove Temp Allow IP", "text": "-tra, --temprma ip
Remove an IP from the temporary IP allow list only
sudo csf -tra <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-block-ip", "title": "Add Temp Block IP", "text": "-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP ban list. ttl is how long to blocks for (default:seconds, can use one suffix of h/m/d). Optional port. Optional direction of block can be one of: in, out or inout (default:in)
sudo csf -td <IP_ADDRESS>\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#add-temp-allow-ip", "title": "Add Temp Allow IP", "text": "-ta, --tempallow ip ttl [-p port] [-d direction] [comment]
Add an IP to the temp IP allow list (default:inout)
sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\n
Output ACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#flush-all-temp-ip-entries", "title": "Flush All Temp IP Entries", "text": "-tf, --tempf
Flush all IPs from the temporary IP entries
sudo csf -tf\n
Output csf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#initiate-lfd-log-scanner", "title": "Initiate Lfd Log Scanner", "text": "-lr, --logrun
Initiate Log Scanner report via lfd
sudo csf -lr\n
If you receive the following error in console:
Output Option LOGSCANNER needs to be enabled in csf.conf for this feature\n
Open your csf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:
###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n
Then go back to console and re-run the command.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-ports", "title": "View Ports", "text": "-p, --ports
View ports on the server that have a running process behind them listening for external connections
sudo csf -p\n
Output Ports listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/commands/#view-graphs", "title": "View Graphs", "text": "--graphs [graph type] [directory]
Generate System Statistics html pages and images for a given graph type into a given directory. See ST_SYSTEM for requirements
[graph type] - disk
- apachework
- mysqlslowqueries
- cpu
- load
- mysqlconns
- net
- diskw
- apachecpu
- email
- temp
- apacheconn
- mysqlqueries
- mem
- mysqldata
sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\n
If you run the above command and see the error:
Output ST_SYSTEM is disabled\n
Open your csf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:
# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n
If you receive the error:
Output Perl module GD::Graph is not installed/working\n
Install the package libgd-graph-perl:
sudo apt-get install libgd-graph-perl\n
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/conf/", "title": "Configure: csf.conf", "text": "Two versions of the config file have been provided below. A full version which contains comments, and a clean version which contains no comments and only the config settings.
You may copy the contents, and place it within your server under the path /etc/csf/csf.conf.
- Full Version
- Clean Version
After you have set your config file to its desired values; you must restart the CSF service to apply the configurations. Open Terminal and run:
sudo csf -r\n
You can also restart both CSF and LFD services with -ra, --restartall
sudo csf -ra\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#full-version", "title": "Full Version", "text": "###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\n
", "tags": ["configure"]}, {"location": "cheatsheet/conf/#clean-version", "title": "Clean Version", "text": "TESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\n
", "tags": ["configure"]}, {"location": "cheatsheet/structure/", "title": "Cheatsheet: File & Folder Structure", "text": "When installing, configuring, and running CSF; it is helpful to know where files and folders are stored within your system, and what their purpose is. A list of these files and folders used by CSF are provided below:
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#directory-structure", "title": "Directory Structure", "text": "Directories associated with ConfigServer Filewall which house all of the files used to configure and manage CSF.
Folder Description /etc/csf/ configuration files /var/lib/csf/ temporary data files /usr/local/csf/bin/ scripts /usr/local/csf/lib/ perl modules and static data /usr/local/csf/tpl/ email alert templates ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#file-structure", "title": "File Structure", "text": "Files associated with ConfigServer Firewall configuration and management.
File Description /etc/csf/csf.conf The main configuration file. /etc/csf/csf.allow A list of IP's and CIDR addresses that should always be allowed through the firewall. /etc/csf/csf.deny A list of IP's and CIDR addresses that should never be allowed through the firewall. /etc/csf/csf.ignore A list of IP's and CIDR addresses that the login failure daemon should ignore and not not block if detected. /etc/csf/csf.*ignore Various ignore files that list files, users, IP's that the login failure daemon should ignore. /lib/systemd/system/lfd.service Service file for lfd (ConfigServer Firewall) /lib/systemd/system/csf.service Service file for csf (Login Failure Daemon) ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/structure/#patcher-files", "title": "Patcher Files", "text": "The following files are associated with the ConfigServer Firewall patcher which adds special iptable rules so that CSF can communicate with Docker & OpenVPN.
File Description /usr/local/csf/bin/csfpre.sh Patcher pre script. Runs before CSF configures iptables /usr/local/csf/bin/csfpost.sh Patcher post script. Runs after CSF configures iptables /usr/local/include/csf/post.d/docker.sh Docker patch for CSF which adds firewall rules for Docker and CSF /usr/local/include/csf/post.d/openvpn.sh OpenVPN patch for CSF which adds firewall rules for OpenVPN and CSF ", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/", "title": "Cheatsheet: Troubleshooting", "text": "The information below is a list of errors you may receive within CSF, and steps on how to correct each issue.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#cant-locate-object-method-new-via-package-cryptcbc-at-usrsbincsf-line", "title": "Can't locate object method \"new\" via package \"Crypt::CBC\" at /usr/sbin/csf line ***", "text": "This error occurs when Crypt::CBC cannot be found. It is sometimes seen when executing commands such as sudo csf -cp.
To correct the issue, open the file /usr/sbin/csf in a text editor.
Locate the lines:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\n
Add a new line with use Crypt::CBC as shown below:
use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\n
Save the file, and re-execute your previous command which caused the error.
", "tags": ["cheatsheet", "configure"]}, {"location": "cheatsheet/troubleshooting/#csf46313-open3-exec-of-sbinipset-flush-failed-no-such-file-or-directory-at-usrsbincsf-line", "title": "csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line ****.", "text": "This error occurs when you are missing the package ipset. Install it with the following commands:
Debian based systems:
sudo apt update\nsudo apt-get install ipset\n
Redhat based systems:
sudo yum check-update\nsudo yum install ipset\n
", "tags": ["cheatsheet", "configure"]}, {"location": "csf/configure/", "title": "Configure & Startup", "text": "After you have installed ConfigServer Firewall in the previous chapter; you can start configuring it to suit your server\u2019s requirements.
", "tags": ["configure"]}, {"location": "csf/configure/#configure", "title": "Configure", "text": "The main configuration file for CSF is located at /etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:
sudo nano /etc/csf/csf.conf\n
The list below outlines just a few of the important settings that you can modify within ConfigServer Firewall.
Patcher Note
When you run the patcher install.sh; TESTING MODE will automatically be disabled after the script has successfully completed.
TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.
Make sure to review the configuration file and adjust the settings to suit your server\u2019s needs. After making changes to the configuration file, save and exit the text editor.
Two csf.conf configuration files have been provided as examples; a full version, and clean (uncommented) version, and can be viewed on the csf.conf page.
", "tags": ["configure"]}, {"location": "csf/configure/#start-configserver", "title": "Start ConfigServer", "text": "After you have set your config file to its desired values; you can now start up or restart the CSF service to apply the configurations. Open Terminal and run:
", "tags": ["configure"]}, {"location": "csf/configure/#enable", "title": "Enable", "text": "-e, --enable
Enable csf and lfd if previously disabled
sudo csf -e\n
", "tags": ["configure"]}, {"location": "csf/configure/#start", "title": "Start", "text": "-s, --start
Starts the firewall and applies any rules that have been configured at startup.
sudo csf -s\n
", "tags": ["configure"]}, {"location": "csf/configure/#restart", "title": "Restart", "text": "-r, --restart
Restart firewall rules (csf)
sudo csf -r\n
A full list of CSF commands have been provided in our Cheatsheet: Commands section.
", "tags": ["configure"]}, {"location": "csf/configure/#next-steps", "title": "Next Steps", "text": "Next: Installing the Admin WebUI Instructions for installing the CSF Admin Web Interface ../webui ../webui", "tags": ["configure"]}, {"location": "csf/install/", "title": "Install CSF", "text": "These steps explain how to install ConfigServer Firewall on your system. There are two possible ways to install CSF which are listed below:
- Install: Using Patch
- Install: Manually
The Patch method attempts to take much of the work out of installing CSF. It installs all prerequisites automatically, and sets CSF to start with TESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.
The Manual method requires you to manually install all prerequisites using your OS package manager, and then manually downloading the latest copy of CSF and extracting / installing it on your system. You will have to run the patcher after you have installed CSF.
", "tags": ["install"]}, {"location": "csf/install/#install-using-patch", "title": "Install: Using Patch", "text": "If you would like to install ConfigServer Firewall using this repo's patcher; download the patch:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Set the permissions for the install.sh file:
sudo chmod +x /csf-firewall/patch/install.sh\n
Run the script:
sudo ./csf-firewall/patch/install.sh\n
If ConfigServer Firewall is not already installed on your system; you should see:
Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\n
After the patcher has installed CSF; it will then automatically install the Docker and OpenVPN patches. All you will need to do after; is ensure CSF is up and running.
Please proceed to the section Configure & Start CSF
", "tags": ["install"]}, {"location": "csf/install/#install-manually", "title": "Install: Manually", "text": "", "tags": ["install"]}, {"location": "csf/install/#prerequisites", "title": "Prerequisites", "text": " - A Linux server running CentOS, Debian, Ubuntu, or any other compatible Linux distribution.
- Root access or a user account with sudo privileges.
- Perl installed on your server. If Perl is not installed, you can install it by running the following commands:
-
For CentOS/RHEL:
sudo yum install perl ipset\n
-
For Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\n
", "tags": ["install"]}, {"location": "csf/install/#download-and-install-csf", "title": "Download and Install CSF", "text": "To download and install CSF, follow these steps:
- Log in to your server via SSH.
- Download the latest version of CSF using the wget command:
wget https://download.configserver.com/csf.tgz\n
- Extract the downloaded archive:
tar -xzf csf.tgz\n
- Navigate to the extracted directory:
cd csf\n
- Run the installation script:
sudo sh install.sh\n
CSF will now be installed on your server, along with its Web UI (ConfigServer Firewall & Security) if you have a control panel like cPanel or DirectAdmin installed.
", "tags": ["install"]}, {"location": "csf/install/#next-steps", "title": "Next Steps", "text": "Next: How to Configure & Start CSF Instructions for editing the CSF config file and starting CSF for the first time ../configure ../configure", "tags": ["install"]}, {"location": "csf/testing/", "title": "Install CSF: Testing", "text": "Before enabling and configuring CSF, it is crucial to test whether it is compatible with your server. Run the following command to initiate the test:
sudo perl /usr/local/csf/bin/csftest.pl\n
The test will check for any potential issues or conflicts. If the test completes successfully, you will see the message:
Console\u201cRESULT: csf should function on this server.\u201d\n
If there are any problems, the test will provide information on how to resolve them.
", "tags": ["install"]}, {"location": "csf/uninstall/", "title": "Uninstall CSF", "text": "If you decide to uninstall CSF for any reason, follow these steps:
- Navigate to the CSF directory:
cd /etc/csf\n
- Run the uninstallation script:
sudo sh uninstall.sh\n
The script will remove CSF and its associated files from your server.
", "tags": ["install"]}, {"location": "csf/webui/", "title": "Install WebUI", "text": "ConfigServer Firewall offers a WebUI for the managing firewall from the web interface. This section explains how to install the WebUI.
", "tags": ["install"]}, {"location": "csf/webui/#step-1-install-required-perl-modules", "title": "Step 1: Install Required Perl Modules:", "text": "The CSF WebUI requires a few Perl modules to be installed on your system. Use the following commands to install the required modules as per your operating system.
Debian based systems:
sudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\n
Redhat based systems:
sudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\n
", "tags": ["install"]}, {"location": "csf/webui/#step-2-enable-csf-firewall-web-ui", "title": "Step 2: Enable CSF Firewall Web UI:", "text": "To enable CSF web UI edit /etc/csf/csf.conf file in your favorite text editor and update the following values.
sudo vim /etc/csf/csf.conf\n
# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\n
Change the following values to your own:
UI_PORTUI_USERUI_PASS
After making changes, edit /etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.
sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\n
Web UI works under lfd daemon. So restart the lfd daemon on your system using the following command.
sudo service lfd restart\n
In order to gain access to the online admin panel; you must ensure lfd and csf are running. You can check by running the command:
sudo service lfd status\n
You should see the lfd service running:
\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\n
Next, confirm csf service is also running:
sudo service csf status\n
Check the output for errors on service csf. You should see no errors:
\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\n
If you see the following error when running csf status:
csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\n
You must install ipset:
sudo apt-get update \nsudo apt-get install ipset\n
", "tags": ["install"]}, {"location": "csf/webui/#step-3-access-and-use-web-ui", "title": "Step 3: Access and Use Web UI:", "text": "Now, access CSF UI on your browser with the specified port. For this tutorial; we used 1025 port and accessed the CSF admin panel by opening our browser and going to:
https://127.0.0.1:1025\n
When prompted for the username and password; the default is:
Field Value Username admin Password admin After successful login, you will find the screen like below.
Allow IP Address: You can use below option to allow any IP quickly. This action adds the entry to the /etc/csf/csf.allow file.
Deny IP Address: You can use below option to deny any IP quickly. This action adds the entry to the /etc/csf/csf.deny file.
Unblock IP Address: You can use below option to quickly unblocked any IP which is already blocked by CSF.
", "tags": ["install"]}, {"location": "csf/tutorials/authentik/", "title": "Authentik Integration", "text": "This section explains how to add Authentik as a middleware through Traefik so that you can secure the ConfigServer WebUI behind an authentication server.
If you are adding Authentik as middleware in the steps above; the last thing you must do is log in to your Authentik admin panel and add a new Provider so that we can access the CSF WebUI via your domain.
Once you sign into the Authentik admin panel, go to the left-side navigation, select Applications -> Providers. Then at the top of the new page, click Create.
For the provider, select Proxy Provider.
Add the following provider values:
- Name:
CSF ForwardAuth - Authentication Flow:
default-source-authentication (Welcome to authentik!) - Authorization Flow:
default-provider-authorization-implicit-consent (Authorize Application)
Select Forward Auth (single application):
- External Host:
https://csf.domain.com
Once finished, click Create. Then on the left-side menu, select Applications -> Applications. Then at the top of the new page, click Create.
Add the following parameters:
- Name:
CSF (ConfigServer Firewall) - Slug:
csf - Group:
Administrative - Provider:
CSF ForwardAuth - Backchannel Providers:
None - Policy Engine Mode:
any
Save, and then on the left-side menu, select Applications -> Outposts:
Find your Outpost and edit it.
Move CSF (ConfigServer Firewall) to the right side Selected Applications box.
You should be able to access csf.domain.com and be prompted now to authenticate with Authentik.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/", "title": "Enable Geographical Blocks", "text": "Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#getting-started", "title": "Getting Started", "text": "CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
- Maxmind
- db-ip, ipdeny, iptoasn
Maxmind This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out MM_LICENSE_KEY within the csf.conf.
Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-maxmind", "title": "Using MaxMind", "text": "To configure MaxMind as your specified geo service; you must go to their website and register an account.
- Register for MaxMind
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
- Setting up GeoIpUpdate
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
sudo touch /etc/GeoIP.conf\n
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\n
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
Argument Description -d, --database-directory Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. -f, --config-file The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. --parallelism Set the number of parallel database downloads. -h, --help Display help and exit. --stack-trace Show a stack trace on any error message. This is primarily useful for debugging. -V, --version Display version information and exit. -v, --verbose Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. -o, --output Output download/update results in JSON format. Start (Basic)Start (Custom Paths)Start (Verbose Logging) sudo geoipupdate\n
sudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
sudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#using-db-ip-ipdeny-iptoasn", "title": "Using db-ip, ipdeny, iptoasn", "text": "This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#allow-deny-countries", "title": "Allow / Deny Countries", "text": "After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
- Manage countries using csf.conf
- Manage countries with ConfigServer WebUI
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csfconf", "title": "Manage with csf.conf", "text": "Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n
To specify multiple countries; add a comma , delimiter between each country.
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Our rules above mean:
Setting Countries Description CC_DENY China Blacklisted countries: cannot access our server CC_ALLOW United States Great Britain Germany Whitelisted countries: can access our server ", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#manage-with-csf-webui", "title": "Manage with CSF WebUI", "text": "Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/geographical/#restart-csf", "title": "Restart CSF", "text": "After you have whitelisted / blacklisted your desired countries; give CSF a restart:
-ra, --restartall
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files
sudo csf -ra\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/", "title": "Traefik Integration", "text": "This section explains how to integrate ConfigServer Firewall and Traefik so that you can access the CSF WebUI via your domain name, but restrict access to the server IP address and port.
Open /etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.
Find:
UI_IP = \"\"\n
Change the IP to your Docker network subnet. You MUST use the format below, which is ::IPv6:IPv4
UI_IP = \"::ffff:172.17.0.1\"\n
The above change will ensure that your CSF WebUI is not accessible via your public IP address. We're going to allow access to it via your domain name, but add some Traefik middleware so that you must authenticate before you can access the WebUI.
Next, we can add CSF through Docker and Traefik so that it's accessible via csf.domain.com. Open up your Traefik's dynamic.yml and add the following:
http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\n
At the bottom of the same file, we must now add a new loadBalancer rule under http -> services. Change the ip and port if you have different values:
http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\n
With the example above, we are also going to add a few middlewares:
- Authentik
- IP Whitelist
- Geographical Location Blocking
By applying the above middlewares, we can restrict what IP addresses can access your CSF WebUI, as well as add Authentik's authentication system so that you must authenticate first before getting into the CSF WebUI. These are all optional, and you can apply whatever middlewares you deem fit.
You must configure the above middleware if you have not added it to Traefik yet. This guide does not go into how to add middleware to Traefik, that information can be found at:
- https://doc.traefik.io/traefik/middlewares/overview/
Once you configure these changes in Traefik, you can restart your Traefik docker container. The command for that depends on how you set up the container. If you used docker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:
docker compose down && docker compose up -d\n
", "tags": ["configure", "tutorials"]}, {"location": "csf/tutorials/traefik/#next-steps", "title": "Next Steps", "text": "Next: Integrating Authentik Instructions for adding Authentik middleware to ConfigServer via Traefik ../authentik ../authentik", "tags": ["configure", "tutorials"]}, {"location": "patcher/configure/", "title": "Configure Patches", "text": "Before you run the downloaded patcher; there are several files you must open and edit. Do not run the patcher yet.
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker", "title": "Docker", "text": "The Docker patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/docker.sh\n
Find the following settings:
DOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\n
The settings are outlined below:
Setting Description DOCKER_INT main docker network interface NETWORK_MANUAL_MODE set true if you are manually assigning the ip address for each docker container NETWORK_ADAPT_NAME requires NETWORK_MANUAL_MODE=\"true\" name of the adapter you are specifying CSF_FILE_ALLOW Path to your csf.allow file CSF_COMMENT comment added to each new whitelisted docker ip DEBUG_ENABLED debugging / better logs IP_CONTAINERS list of ip address blocks you will be using for your docker setup. these blocks will be whitelisted through ConfigServer Firewall ", "tags": ["install", "patch"]}, {"location": "patcher/configure/#settings", "title": "Settings", "text": "Each individual setting with a detailed description
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#docker_int", "title": "DOCKER_INT", "text": "2.0.0 docker0
The main docker visual bridge network name; this is usually docker0, however, it can be changed. You can find a list of these by running the command
ip link show\n
Output 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_manual_mode", "title": "NETWORK_MANUAL_MODE", "text": "2.0.0 false
Set true if you are manually assigning external: true for each docker container within your docker-compose.yml.
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
If you set NETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAME
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#network_adapt_name", "title": "NETWORK_ADAPT_NAME", "text": "2.0.0 traefik
The name of the adapter you are specifying if you have manually specified a network adapter in your docker container's docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"
docker-compose.ymldocker-sh networks:\n my-docker-network:\n name: my-docker-network\n external: true\n
NETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\n
", "tags": ["install", "patch"]}, {"location": "patcher/configure/#openvpn", "title": "OpenVPN", "text": "The OpenVPN patch has a few settings that must be modified. To change these settings, open the file:
sudo nano /patch/openvpn.sh\n
", "tags": ["install", "patch"]}, {"location": "patcher/download/", "title": "Download Patches", "text": "After you have installed CSF, ConfigServer WebUI, and enabled both lfd and csf services; it's now time to run the patcher. The patcher will check your current configuration, and add a series of iptable rules so that apps like Docker and OpenVPN can communicate with the outside world and users can access your services.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#about", "title": "About", "text": "The patcher includes several patches:
Docker Allows for you to restart CSF without having to restart your docker containers. Scans every container you have set up in docker and adds a whitelist firewall rule. Automatically enables CSF Docker Mode.
OpenVPN Allows VPN clients to connect to your OpenVPN server without being blocked by the CSF firewall.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#download", "title": "Download", "text": "Within your server, change to whatever directory where you want to download the patcher:
cd $HOME/Documents\n
Next, ensure you have the package git installed so that we can use it to fetch the patch:
sudo apt-get install git\n
Clone the patch repo:
git clone https://github.com/Aetherinox/csf-firewall.git\n
Finally, set new permissions on the patcher's install.sh file by running the command:
sudo chmod +x /patch/install.sh\n
The patcher is now on your system and ready to run. However, before we run the patcher; there are a few things that need to be configured. Do not run the patch yet.
Proceed to the Configure section.
", "tags": ["install", "patch"]}, {"location": "patcher/download/#next-steps", "title": "Next Steps", "text": "Next: How to configure the patcher Instructions for configuring the patches included ../configure/ ../configure/", "tags": ["install", "patch"]}, {"location": "about/tags/", "title": "Tags", "text": "Following is a list of relevant tags:
"}, {"location": "about/tags/#changelog", "title": "changelog", "text": " - Changelog
"}, {"location": "about/tags/#cheatsheet", "title": "cheatsheet", "text": " - Cheatsheet: Commands
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
"}, {"location": "about/tags/#configure", "title": "configure", "text": " - Cheatsheet: Commands
- Configure: Basics
- Cheatsheet: File & Folder Structure
- Cheatsheet: Troubleshooting
- Configure & Startup
- CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}, {"location": "about/tags/#home", "title": "home", "text": " - Home
"}, {"location": "about/tags/#info", "title": "info", "text": " - About CSF
- How this patcher works
"}, {"location": "about/tags/#install", "title": "install", "text": " - Install CSF
- Install CSF > Testing
- Uninstall CSF
- Install WebUI
- Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#patch", "title": "patch", "text": " - Patcher: Configure
- Patcher: Download
"}, {"location": "about/tags/#tutorials", "title": "tutorials", "text": " - CSF: Authentik Integration
- CSF: Enable Geo Block
- CSF: Traefik Integration
"}]}
\ No newline at end of file
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
/patch folder to your system.install.sh file to be executable.sudo chmod +x install.sh
install.sh scriptsudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Dockerpatch will first check to ensure you have the following:- Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker*orbr-*
- The
OpenVPNpatch will first check to ensure you have the following:- Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun*(tun0, tun1, etc) - Must have an outside network adapter named either
eth*orenp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
install.sh any time after the initial setup:- The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre,csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
- If the
- Docker Integration
- OpenVPN Integration
feat: add new patch openvpnfeat: add new command-line arguments:- add
-d, --devfor advanced logging - add
-f, --flushto completely remove iptable rules - add
-r, --reportto display dependency stats, app information, etc. - add
-v, --versionto display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each releaseplugins setting in mkdocs.yml.mkdocs.yml. This allows for the existence of potentially orthogonal features.-e, --enablesudo csf -e\n-x, --disablesudo csf -x\n-s, --startsudo csf -s\n-f, --stopsudo csf -f\nFlushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n-r, --restartsudo csf -r\nFlushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n-q, --startqsudo csf -q\nlfd will restart csf within the next 5 seconds\n-sf, --startfsudo csf -sf\nFlushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n-ra, --restartallsudo csf -ra\nFlushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n-crs, --crestartsudo csf -crs\n--lfd [stop|start|restart|status]sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\nNo output\nNo output\n\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n-c, --checksudo csf -c\ncsf is already at the latest version: v14.20\n-u, --updatesudo csf -u\n-ufsudo csf -uf\n-v, --versionsudo csf -v\ncsf: v14.20 (generic)\n-l, --statussudo csf -l\niptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n-l6, --status6sudo csf -l6\nip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n-a, --add ip [comment]/etc/csf/csf.allowsudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\nAdding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n-ar, --addrm ip/etc/csf/csf.allow and delete rulesudo csf -ar <IP_ADDRESS>\n-d, --deny ip [comment]/etc/csf/csf.denysudo csf -d <IP_ADDRESS>\n-dr, --denyrm ip/etc/csf/csf.denysudo csf -dr <IP_ADDRESS>\n-df, --denyf/etc/csf/csf.denysudo csf -df\ncsf: all entries removed from csf.deny\n-g, --grep ipsudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n-i, --iplookup ip/etc/csf/csf.confsudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n-t, --tempsudo csf -t\nA/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n-tr, --temprm ipsudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n-trd, --temprmd ipsudo csf -trd <IP_ADDRESS>\n-tra, --temprma ipsudo csf -tra <IP_ADDRESS>\n-td, --tempdeny ip ttl [-p port] [-d direction] [comment]sudo csf -td <IP_ADDRESS>\n-ta, --tempallow ip ttl [-p port] [-d direction] [comment]sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n-tf, --tempfsudo csf -tf\ncsf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n-lr, --logrunsudo csf -lr\nOption LOGSCANNER needs to be enabled in csf.conf for this feature\ncsf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n-p, --portssudo csf -p\nPorts listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n--graphs [graph type] [directory]sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\nST_SYSTEM is disabled\ncsf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\nPerl module GD::Graph is not installed/working\nlibgd-graph-perl: sudo apt-get install libgd-graph-perl\n/etc/csf/csf.conf.sudo csf -r\n-ra, --restartall sudo csf -ra\n###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\nTESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\nsudo csf -cp./usr/sbin/csf in a text editor.use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC as shown below: use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\nipset. Install it with the following commands:sudo apt update\nsudo apt-get install ipset\nsudo yum check-update\nsudo yum install ipset\n/etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:sudo nano /etc/csf/csf.conf\ninstall.sh; TESTING MODE will automatically be disabled after the script has successfully completed.TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.-e, --enablesudo csf -e\n-s, --startsudo csf -s\n-r, --restartsudo csf -r\nTESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.git clone https://github.com/Aetherinox/csf-firewall.git\ninstall.sh file: sudo chmod +x /csf-firewall/patch/install.sh\nsudo ./csf-firewall/patch/install.sh\n Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\nFor CentOS/RHEL:
sudo yum install perl ipset\nFor Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\nwget https://download.configserver.com/csf.tgz\ntar -xzf csf.tgz\ncd csf\nsudo sh install.sh\nsudo perl /usr/local/csf/bin/csftest.pl\n\u201cRESULT: csf should function on this server.\u201d\ncd /etc/csf\nsudo sh uninstall.sh\nsudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\nsudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\nsudo vim /etc/csf/csf.conf\n# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\nUI_PORTUI_USERUI_PASS/etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\nsudo service lfd restart\nsudo service lfd status\nlfd service running:\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\ncsf service is also running:sudo service csf status\ncsf. You should see no errors:\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\ncsf status:csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\nipset:sudo apt-get update \nsudo apt-get install ipset\nhttps://127.0.0.1:1025\n/etc/csf/csf.allow file./etc/csf/csf.deny file.Proxy Provider.CSF ForwardAuthdefault-source-authentication (Welcome to authentik!)default-provider-authorization-implicit-consent (Authorize Application)https://csf.domain.comCSF (ConfigServer Firewall) - Slug: csf - Group: Administrative - Provider: CSF ForwardAuth - Backchannel Providers: None - Policy Engine Mode: anyCSF (ConfigServer Firewall) to the right side Selected Applications box.csf.domain.com and be prompted now to authenticate with Authentik.MM_LICENSE_KEY within the csf.conf.csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\ncsf.conf and add the License key to your config. If you are using the CSF WebUI:sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n/etc/:sudo touch /etc/GeoIP.conf\n/etc/GeoIP.conf. After you paste the code below; you must change the following values:AccountIDLicenseKey# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\ngeoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.sudo geoipupdate\nsudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\nsudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\ncsf.conf file in a text editor and locate the following settings:CC_DENYCC_ALLOW# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCN. To do so; our config will look like the following:CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n, delimiter between each country.CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\nCC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n-ra, --restartallsudo csf -ra\n/etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.UI_IP = \"\"\n::IPv6:IPv4UI_IP = \"::ffff:172.17.0.1\"\ncsf.domain.com. Open up your Traefik's dynamic.yml and add the following:http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\nhttp -> services. Change the ip and port if you have different values:http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\ndocker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:docker compose down && docker compose up -d\nsudo nano /patch/docker.sh\nDOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\ndocker0 docker0, however, it can be changed. You can find a list of these by running the commandip link show\n4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\nfalse true if you are manually assigning external: true for each docker container within your docker-compose.yml.networks:\n my-docker-network:\n name: my-docker-network\n external: true\nNETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\nNETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAMEtraefik docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"networks:\n my-docker-network:\n name: my-docker-network\n external: true\nNETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\nsudo nano /patch/openvpn.sh\ncd $HOME/Documents\ngit installed so that we can use it to fetch the patch:sudo apt-get install git\ngit clone https://github.com/Aetherinox/csf-firewall.git\ninstall.sh file by running the command:sudo chmod +x /patch/install.sh\n- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
/patch folder to your system.install.sh file to be executable.sudo chmod +x install.sh
install.sh scriptsudo ./install.sh- The script will first check to see if you have ConfigServer Firewall and all of its prerequisites installed. It will install them if they are not installed. This includes:
- ConfigServer Firewall
- ipset package
- iptables / ip6tables package
- Two new files will be added:
/usr/local/csf/bin/csfpre.sh/usr/local/csf/bin/csfpost.sh
- The patches will then be moved onto your system in the locations:
/usr/local/include/csf/post.d/docker.sh/usr/local/include/csf/post.d/openvpn.sh
- The
Dockerpatch will first check to ensure you have the following:- Must have Docker installed
- This script will NOT install docker. You must do that.
- Must have a valid docker network adapter named
docker*orbr-*
- The
OpenVPNpatch will first check to ensure you have the following:- Must have OpenVPN Server installed
- Must have a valid network tunnel named
tun*(tun0, tun1, etc) - Must have an outside network adapter named either
eth*orenp* - If any of the checks above are not true, OpenVPN patcher will skip
- You can check your list of network adapters using any of the commands below:
ip link showifconfig
- You can check if OpenVPN server is installed by using the commmand:
openvpn --version
install.sh any time after the initial setup:- The script will check if ConfigServer Firewall and all prerequisites are installed.
- If they are not installed; they will be installed.
- If they are already installed; nothing will happen. The script does NOT update your packages. It installs the latest version of each package from the time that you run the script and do not already have ConfigServer Firewall installed.
- The script will look at all of the files it added the first time and check the MD5 hash.
- If the
csfpre,csfpost, or patch files do not exist; they will be re-added to your system. - If the patch files are different from the one the patcher comes with, you will be prompted / asked if you wish to overwrite your already installed copy
- If the patch files are the same as the ones which comes with the patcher; nothing will be done and it will skip that step.
- If the
- Docker Integration
- OpenVPN Integration
feat: add new patch openvpnfeat: add new command-line arguments:- add
-d, --devfor advanced logging - add
-f, --flushto completely remove iptable rules - add
-r, --reportto display dependency stats, app information, etc. - add
-v, --versionto display patcher version
enhance: docker patch now allows for multiple ip blocks to be whitelistedrefactor: re-write of scriptrefactor: merge all scripts into onebug: fixed issue with manual mode being disabled - #1bug: fixed error \"docker network inspect\" requires at least 1 argument. - #1bug: fixed error invalid port/service '-j' errordocs: rewrite documentation to include better instructionsci: add workflow to automatically grab latest version of ConfigServer Firewall and append to each releaseplugins setting in mkdocs.yml.mkdocs.yml. This allows for the existence of potentially orthogonal features.-e, --enablesudo csf -e\n-x, --disablesudo csf -x\n-s, --startsudo csf -s\n-f, --stopsudo csf -f\nFlushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\nDeleting chain `ALLOWIN'\nDeleting chain `ALLOWOUT'\nDeleting chain `CC_ALLOWP'\nDeleting chain `CC_ALLOWPORTS'\n[ ... ]\n-r, --restartsudo csf -r\nFlushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n-q, --startqsudo csf -q\nlfd will restart csf within the next 5 seconds\n-sf, --startfsudo csf -sf\nFlushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n-ra, --restartallsudo csf -ra\nFlushing chain `INPUT'\nFlushing chain `FORWARD'\nFlushing chain `OUTPUT'\nFlushing chain `ALLOWIN'\nFlushing chain `ALLOWOUT'\nFlushing chain `CC_ALLOWP'\nFlushing chain `CC_ALLOWPORTS'\n[ ... ]\n-crs, --crestartsudo csf -crs\n--lfd [stop|start|restart|status]sudo csf --lfd stop\nsudo csf --lfd start\nsudo csf --lfd restart\nsudo csf --lfd status\nNo output\nNo output\n\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 15ms ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - starting)\n Tasks: 1 (limit: 4613)\n Memory: 38.7M\n CPU: 366ms\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - starting\"\n \u2514\u25003784 \"lfd - starting\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since 1min 3s ago\n Process: 3769 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 3782 (lfd - sleeping)\n Tasks: 2 (limit: 4613)\n Memory: 45.2M\n CPU: 9.476s\n CGroup: /system.slice/lfd.service\n \u251c\u25003782 \"lfd - sleeping\"\n \u2514\u25003791 \"lfd UI\"\n\nsystemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...\nsystemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.\n-c, --checksudo csf -c\ncsf is already at the latest version: v14.20\n-u, --updatesudo csf -u\n-ufsudo csf -uf\n-v, --versionsudo csf -v\ncsf: v14.20 (generic)\n-l, --statussudo csf -l\niptables filter table\n=====================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n1 33 2492 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000,5353\n2 758 55610 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 4000\n3 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353\n4 5209K 28G LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 \n13 3 180 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22\n14 998 56956 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25\n15 123 5612 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53\n16 16 680 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:853\n17 2 100 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80\n18 74 3148 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:110\n19 125 5624 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:143\n-l6, --status6sudo csf -l6\nip6tables filter table\n======================\nChain INPUT (policy DROP 0 packets, 0 bytes)\nnum pkts bytes target prot opt in out source destination \n8 0 0 ACCEPT all !lo * ::/0 ::/0 ctstate RELATED,ESTABLISHED\n9 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:20\n10 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:21\n11 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:22\n12 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:25\n13 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:53\n14 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:853\n15 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:80\n16 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:110\n17 0 0 ACCEPT tcp !lo * ::/0 ::/0 ctstate NEW tcp dpt:143\n-a, --add ip [comment]/etc/csf/csf.allowsudo csf -a <IP_ADDRESS>\nsudo csf -a 142.250.189.142\nAdding 142.250.189.142 to csf.allow and iptables ACCEPT...\ncsf: IPSET adding [142.250.189.142] to set [chain_ALLOW]\n-ar, --addrm ip/etc/csf/csf.allow and delete rulesudo csf -ar <IP_ADDRESS>\n-d, --deny ip [comment]/etc/csf/csf.denysudo csf -d <IP_ADDRESS>\n-dr, --denyrm ip/etc/csf/csf.denysudo csf -dr <IP_ADDRESS>\n-df, --denyf/etc/csf/csf.denysudo csf -df\ncsf: all entries removed from csf.deny\n-g, --grep ipsudo csf -g <STRING>\nsudo csf -g 22\nsudo csf -g ACCEPT\n-i, --iplookup ip/etc/csf/csf.confsudo csf -i <IP_ADDRESS>\nsudo csf -i 142.250.189.142\n142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n-t, --tempsudo csf -t\nA/D IP address Port Dir Time To Live Comment\nALLOW 142.250.189.142 * inout 58m 56s Manually added: 142.250.189.142 (US/United States/mia09s26-in-f14.1e100.net)\n-tr, --temprm ipsudo csf -tr <IP_ADDRESS>\nsudo csf -tr 142.250.189.142\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n-trd, --temprmd ipsudo csf -trd <IP_ADDRESS>\n-tra, --temprma ipsudo csf -tra <IP_ADDRESS>\n-td, --tempdeny ip ttl [-p port] [-d direction] [comment]sudo csf -td <IP_ADDRESS>\n-ta, --tempallow ip ttl [-p port] [-d direction] [comment]sudo csf -ta <IP_ADDRESS>\nsudo csf -ta 142.250.189.142\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142\n-tf, --tempfsudo csf -tf\ncsf: There are no temporary IP bans\nACCEPT all opt -- in !lo out * 142.250.189.142 -> 0.0.0.0/0 \nACCEPT all opt -- in * out !lo 0.0.0.0/0 -> 142.250.189.142 \ncsf: 142.250.189.142 temporary allow removed\n-lr, --logrunsudo csf -lr\nOption LOGSCANNER needs to be enabled in csf.conf for this feature\ncsf.conf configuration file, locate the setting LOGSCANNER, and change the value to 1:###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n-p, --portssudo csf -p\nPorts listening for external connections and the executables running behind them:\nPort/Proto Open Conn PID/User Command Line Executable\n631/tcp -/- - (1090/root) /usr/sbin/cupsd -l /usr/sbin/cupsd\n8546/tcp 4/6 - (4627/root) lfd UI /usr/bin/perl\n5353/udp -/- - (337/systemd-resolve /lib/systemd/systemd-resolved /usr/lib/systemd/systemd-resolved\n5353/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n40857/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n49833/udp -/- - (702/avahi) avahi-daemon: running [local] /usr/sbin/avahi-daemon\n--graphs [graph type] [directory]sudo csf --graphs <GRAPH_TYPE> <SAVE_PATH>\nsudo csf --graphs mem /home/$USER/graphs\nST_SYSTEM is disabled\ncsf.conf configuration file, locate the setting ST_SYSTEM, and change the value to 1:# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\nPerl module GD::Graph is not installed/working\nlibgd-graph-perl: sudo apt-get install libgd-graph-perl\n/etc/csf/csf.conf.sudo csf -r\n-ra, --restartall sudo csf -ra\n###############################################################################\n# SECTION:Initial Settings\n###############################################################################\n# Testing flag - enables a CRON job that clears iptables incase of\n# configuration problems when you start csf. This should be enabled until you\n# are sure that the firewall works - i.e. incase you get locked out of your\n# server! Then do remember to set it to 0 and restart csf when you're sure\n# everything is OK. Stopping csf will remove the line from /etc/crontab\n#\n# lfd will not start while this is enabled\nTESTING = \"0\"\n\n# The interval for the crontab in minutes. Since this uses the system clock the\n# CRON job will run at the interval past the hour and not from when you issue\n# the start command. Therefore an interval of 5 minutes means the firewall\n# will be cleared in 0-5 minutes from the firewall start\nTESTING_INTERVAL = \"5\"\n\n# SECURITY WARNING\n# ================\n#\n# Unfortunately, syslog and rsyslog allow end-users to log messages to some\n# system logs via the same unix socket that other local services use. This \n# means that any log line shown in these system logs that syslog or rsyslog\n# maintain can be spoofed (they are exactly the same as real log lines).\n#\n# Since some of the features of lfd rely on such log lines, spoofed messages\n# can cause false-positive matches which can lead to confusion at best, or\n# blocking of any innocent IP address or making the server inaccessible at\n# worst.\n#\n# Any option that relies on the log entries in the files listed in\n# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered\n# vulnerable to exploitation by end-users and scripts run by end-users.\n#\n# NOTE: Not all log files are affected as they may not use syslog/rsyslog\n#\n# The option RESTRICT_SYSLOG disables all these features that rely on affected\n# logs. These options are:\n# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT\n# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP\n# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT\n# PORTKNOCKING_ALERT LF_SUDO_EMAIL_ALERT\n#\n# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:\n# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG\n#\n# The following options are still enabled by default on new installations so\n# that, on balance, csf/lfd still provides expected levels of security:\n# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT\n#\n# If you set RESTRICT_SYSLOG to \"0\" or \"2\" and enable any of the options listed\n# above, it should be done with the knowledge that any of the those options\n# that are enabled could be triggered by spoofed log lines and lead to the\n# server being inaccessible in the worst case. If you do not want to take that\n# risk you should set RESTRICT_SYSLOG to \"1\" and those features will not work\n# but you will not be protected from the exploits that they normally help block\n#\n# The recommended setting for RESTRICT_SYSLOG is \"3\" to restrict who can access\n# the syslog/rsyslog unix socket.\n#\n# For further advice on how to help mitigate these issues, see\n# /etc/csf/readme.txt\n#\n# 0 = Allow those options listed above to be used and configured\n# 1 = Disable all the options listed above and prevent them from being used\n# 2 = Disable only alerts about this feature and do nothing else\n# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **\nRESTRICT_SYSLOG = \"0\"\n\n# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts\n# write access to the syslog/rsyslog unix socket(s). The group must not already\n# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option\n# to a unique name for the server\n#\n# You can add users to this group by changing /etc/csf/csf.syslogusers and then\n# restarting lfd afterwards. This will create the system group and add the\n# users from csf.syslogusers if they exist to that group and will change the\n# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be\n# monitored and the permissions re-applied should syslog/rsyslog be restarted\n#\n# Using this option will prevent some legitimate logging, e.g. end-user cron\n# job logs\n#\n# If you want to revert RESTRICT_SYSLOG to another option and disable this\n# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then\n# syslog/rsyslog and the unix sockets will be reset\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\n\n# This options restricts the ability to modify settings within this file from\n# the csf UI. Should the parent control panel be compromised, these restricted\n# options could be used to further compromise the server. For this reason we\n# recommend leaving this option set to at least \"1\" and if any of the\n# restricted items need to be changed, they are done so from the root shell\n#\n# 0 = Unrestricted UI\n# 1 = Restricted UI\n# 2 = Disabled UI\nRESTRICT_UI = \"1\"\n\n# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which\n# runs once per day to see if there is an update to csf+lfd and upgrades if\n# available and restarts csf and lfd\n#\n# You should check for new version announcements at http://blog.configserver.com\nAUTO_UPDATES = \"1\"\n\n###############################################################################\n# SECTION:IPv4 Port Settings\n###############################################################################\n# Lists of ports in the following comma separated lists can be added using a\n# colon (e.g. 30000:35000).\n\n# Some kernel/iptables setups do not perform stateful connection tracking\n# correctly (typically some virtual servers or custom compiled kernels), so a\n# SPI firewall will not function correctly. If this happens, LF_SPI can be set\n# to 0 to reconfigure csf as a static firewall.\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.\n#\n# If you allow incoming DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source port 53;\n#\n# This will force incoming DNS traffic only through port 53\n#\n# Disabling this option will break firewall functionality that relies on\n# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall\n# less secure\n#\n# This option should be set to \"1\" in all other circumstances\nLF_SPI = \"1\"\n\n# Allow incoming TCP ports\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing TCP ports\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming UDP ports\nUDP_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP_OUT = \"20,21,53,853,113,123\"\n\n# Allow incoming PING. Disabling PING will likely break external uptime\n# monitoring\nICMP_IN = \"1\"\n\n# Set the per IP address incoming ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_IN_RATE = \"1/s\"\n\n# Allow outgoing PING\n#\n# Unless there is a specific reason, this option should NOT be disabled as it\n# could break OS functionality\nICMP_OUT = \"1\"\n\n# Set the per IP address outgoing ICMP packet rate for PING requests. This\n# ratelimits PING requests which if exceeded results in silently rejected\n# packets. Disable or increase this value if you are seeing PING drops that you\n# do not want\n#\n# Unless there is a specific reason, this option should NOT be enabled as it\n# could break OS functionality\n#\n# To disable rate limiting set to \"0\", otherwise set according to the iptables\n# documentation for the limit module. For example, \"1/s\" will limit to one\n# packet per second\nICMP_OUT_RATE = \"0\"\n\n# For those with PCI Compliance tools that state that ICMP timestamps (type 13)\n# should be dropped, you can enable the following option. Otherwise, there\n# appears to be little evidence that it has anything to do with a security risk\n# and can impact network performance, so should be left disabled by everyone\n# else\nICMP_TIMESTAMPDROP = \"0\"\n\n###############################################################################\n# SECTION:IPv6 Port Settings\n###############################################################################\n# IPv6: (Requires ip6tables)\n#\n# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static\n# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below\n#\n# Supported:\n# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,\n# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, \n# SYNFLOOD, LF_NETBLOCK\n#\n# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled\n# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,\n# CC_ALLOW_SMTPAUTH\n#\n# Supported if ip6tables >= 1.4.3:\n# PORTFLOOD, CONNLIMIT\n#\n# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is\n# installed:\n# MESSENGER DOCKER SMTP_REDIRECT\n#\n# Not supported:\n# ICMP_IN, ICMP_OUT\n#\nIPV6 = \"1\"\n\n# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6\n# traffic in the INPUT and OUTPUT chains. However, this could increase the risk\n# of icmpv6 attacks. To restrict incoming icmpv6, set to \"1\" but may break some\n# connection types\nIPV6_ICMP_STRICT = \"0\"\n\n# Pre v2.6.20 kernel must set this option to \"0\" as no working state module is\n# present, so a static firewall is configured as a fallback\n#\n# A workaround has been added for CentOS/RedHat v5 and custom kernels that do\n# not support IPv6 connection tracking by opening ephemeral port range\n# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the\n# same workaround implemented by RedHat in the sample default IPv6 rules\n#\n# As connection tracking will not be configured, applications that rely on it\n# will not function unless all outgoing ports are opened. Therefore, all\n# outgoing connections will be allowed once all other tests have completed. So\n# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.\n#\n# If you allow incoming ipv6 DNS lookups you may need to use the following\n# directive in the options{} section of your named.conf:\n#\n# query-source-v6 port 53;\n#\n# This will force ipv6 incoming DNS traffic only through port 53\n#\n# These changes are not necessary if the SPI firewall is used\nIPV6_SPI = \"1\"\n\n# Allow incoming IPv6 TCP ports\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\n\n# Allow outgoing IPv6 TCP ports\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\n\n# Allow incoming IPv6 UDP ports\nUDP6_IN = \"20,21,53,853,80,443\"\n\n# Allow outgoing IPv6 UDP ports\n# To allow outgoing traceroute add 33434:33523 to this list \nUDP6_OUT = \"20,21,53,853,113,123\"\n\n###############################################################################\n# SECTION:General Settings\n###############################################################################\n# By default, csf will auto-configure iptables to filter all traffic except on\n# the loopback device. If you only want iptables rules applied to a specific\n# NIC, then list it here (e.g. eth1, or eth+)\nETH_DEVICE = \"\"\n\n# By adding a device to this option, ip6tables can be configured only on the\n# specified device. Otherwise, ETH_DEVICE and then the default setting will be\n# used\nETH6_DEVICE = \"\"\n\n# If you don't want iptables rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nETH_DEVICE_SKIP = \"\"\n\n# This option should be enabled unless the kernel does not support the\n# \"conntrack\" module\n#\n# To use the deprecated iptables \"state\" module, change this to 0\nUSE_CONNTRACK = \"1\"\n\n# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)\n# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper\n# This will also remove the RELATED target from the global state iptables rule\n#\n# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or\n# the raw tables do not exist. The USE_CONNTRACK option should be enabled\n#\n# To enable this option, set it to your FTP server listening port number\n# (normally 21), do NOT set it to \"1\"\nUSE_FTPHELPER = \"0\"\n\n# Check whether syslog is running. Many of the lfd checks require syslog to be\n# running correctly. This test will send a coded message to syslog every\n# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded\n# message. If it fails to do so within SYSLOG_CHECK seconds an alert using\n# syslogalert.txt is sent\n#\n# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable\nSYSLOG_CHECK = \"0\"\n\n# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses\n# listed in csf.allow in addition to csf.ignore (the default). This option\n# should be used with caution as it would mean that IP's allowed through the\n# firewall from infected PC's could launch attacks on the server that lfd\n# would ignore\nIGNORE_ALLOW = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic (i.e. relying on iptables connection tracking). Enabling this option\n# could cause DNS resolution issues both to and from the server but could help\n# prevent abuse of the local DNS server\nDNS_STRICT = \"0\"\n\n# Enable the following option if you want to apply strict iptables rules to DNS\n# traffic between the server and the nameservers listed in /etc/resolv.conf\n# Enabling this option could cause DNS resolution issues both to and from the\n# server but could help prevent abuse of the local DNS server\nDNS_STRICT_NS = \"0\"\n\n# Limit the number of IP's kept in the /etc/csf/csf.deny file\n#\n# Care should be taken when increasing this value on servers with low memory\n# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the\n# thousands) can sometimes cause network slowdown\n#\n# The value set here is the maximum number of IPs/CIDRs allowed\n# if the limit is reached, the entries will be rotated so that the oldest\n# entries (i.e. the ones at the top) will be removed and the latest is added.\n# The limit is only checked when using csf -d (which is what lfd also uses)\n# Set to 0 to disable limiting\n#\n# For implementations wishing to set this value significantly higher, we\n# recommend using the IPSET option\nDENY_IP_LIMIT = \"200\"\n\n# Limit the number of IP's kept in the temprary IP ban list. If the limit is\n# reached the oldest IP's in the ban list will be removed and allowed\n# regardless of the amount of time remaining for the block\n# Set to 0 to disable limiting\nDENY_TEMP_IP_LIMIT = \"100\"\n\n# Enable login failure detection daemon (lfd). If set to 0 none of the\n# following settings will have any effect as the daemon won't start.\nLF_DAEMON = \"1\"\n\n# Check whether csf appears to have been stopped and restart if necessary,\n# unless TESTING is enabled above. The check is done every 300 seconds\nLF_CSF = \"1\"\n\n# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,\n# IP6TABLES_RESTORE in two ways:\n#\n# 1. On a clean server reboot the entire csf iptables configuration is saved\n# and then restored where possible to provide a near instant firewall\n# startup[*]\n#\n# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,\n# BOGON, TOR are loaded using this method in a fraction of the time than if\n# this setting is disabled\n#\n# [*]Not supported on all OS platforms\n#\n# Set to \"0\" to disable this functionality\nFASTSTART = \"1\"\n\n# This option allows you to use ipset v6+ for the following csf options:\n# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,\n# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER\n#\n# ipset will only be used with the above options when listing IPs and CIDRs.\n# Advanced Allow Filters and temporary blocks use traditional iptables\n#\n# Using ipset moves the onus of ip matching against large lists away from\n# iptables rules and to a purpose built and optimised database matching\n# utility. It also simplifies the switching in of updated lists\n#\n# To use this option you must have a fully functioning installation of ipset\n# installed either via rpm or source from http://ipset.netfilter.org/\n# \n# Note: Using ipset has many advantages, some disadvantages are that you will\n# no longer see packet and byte counts against IPs and it makes identifying\n# blocked/allowed IPs that little bit harder\n#\n# Note: If you mainly use IP address only entries in csf.deny, you can increase\n# the value of DENY_IP_LIMIT significantly if you wish\n# \n# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ\n# containers even if it has been installed\n#\n# If you find any problems, please post on forums.configserver.com with full\n# details of the issue\nLF_IPSET = \"0\"\n\n# Versions of iptables greater or equal to v1.4.20 should support the --wait\n# option. This forces iptables commands that use the option to wait until a\n# lock by any other process using iptables completes, rather than simply\n# failing\n#\n# Enabling this feature will add the --wait option to iptables commands\n#\n# NOTE: The disadvantage of using this option is that any iptables command that\n# uses it will hang until the lock is released. This could cause a cascade of\n# hung processes trying to issue iptables commands. To try and avoid this issue\n# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger\n# a failure if reached\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\n\n# The following sets the hashsize for ipset sets, which must be a power of 2.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"1024\"\nLF_IPSET_HASHSIZE = \"1024\"\n\n# The following sets the maxelem for ipset sets.\n#\n# Note: Increasing this value will consume more memory for all sets\n# Default: \"65536\"\nLF_IPSET_MAXELEM = \"65536\"\n\n# If you enable this option then whenever a CLI request to restart csf is used\n# lfd will restart csf instead within LF_PARSE seconds\n#\n# This feature can be helpful for restarting configurations that cannot use\n# FASTSTART\nLFDSTART = \"0\"\n\n# Enable verbose output of iptables commands\nVERBOSE = \"1\"\n\n# Drop out of order packets and packets in an INVALID state in iptables\n# connection tracking\nPACKET_FILTER = \"1\"\n\n# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)\nLF_LOOKUPS = \"1\"\n\n# Custom styling is possible in the csf UI. See the readme.txt for more\n# information under \"UI skinning and Mobile View\"\n#\n# This option enables the use of custom styling. If the styling fails to work\n# correctly, e.g. custom styling does not take into account a change in the\n# standard csf UI, then disabling this option will return the standard UI\nSTYLE_CUSTOM = \"0\"\n\n# This option disables the presence of the Mobile View in the csf UI\nSTYLE_MOBILE = \"1\"\n\n###############################################################################\n# SECTION:SMTP Settings\n###############################################################################\n# Block outgoing SMTP except for root, exim and mailman (forces scripts/users\n# to use the exim/sendmail binary instead of sockets access). This replaces the\n# protection as WHM > Tweak Settings > SMTP Tweaks\n#\n# This option uses the iptables ipt_owner/xt_owner module and must be loaded\n# for it to work. It may not be available on some VPS platforms\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nSMTP_BLOCK = \"0\"\n\n# If SMTP_BLOCK is enabled but you want to allow local connections to port 25\n# on the server (e.g. for webmail or web scripts) then enable this option to\n# allow outgoing SMTP connections to the loopback device\nSMTP_ALLOWLOCAL = \"1\"\n\n# This option redirects outgoing SMTP connections destined for remote servers\n# for non-bypass users to the local SMTP server to force local relaying of\n# email. Such email may require authentication (SMTP AUTH)\nSMTP_REDIRECT = \"0\"\n\n# This is a comma separated list of the ports to block. You should list all\n# ports that exim is configured to listen on\nSMTP_PORTS = \"25,465,587\"\n\n# Always allow the following comma separated users and groups to bypass\n# SMTP_BLOCK\n#\n# Note: root (UID:0) is always allowed\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\n\n# This option will only allow SMTP AUTH to be advertised to the IP addresses\n# listed in /etc/csf/csf.smtpauth on EXIM mail servers\n#\n# The additional option CC_ALLOW_SMTPAUTH can be used with this option to\n# additionally restrict access to specific countries\n#\n# This is to help limit attempts at distributed attacks against SMTP AUTH which\n# are difficult to achive since port 25 needs to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so\n# that the lookup file in /etc/exim.smtpauth is regenerated from the\n# information from /etc/csf/csf.smtpauth plus any countries listed in\n# CC_ALLOW_SMTPAUTH\n#\n# NOTE: To make this option work you MUST make the modifications to exim.conf\n# as explained in \"Exim SMTP AUTH Restriction\" section in /etc/csf/readme.txt\n# after enabling the option here, otherwise this option will not work\n#\n# To enable this option, set to 1 and make the exim configuration changes\n# To disable this option, set to 0 and undo the exim configuration changes\nSMTPAUTH_RESTRICT = \"0\"\n\n###############################################################################\n# SECTION:Port Flood Settings\n###############################################################################\n# Enable SYN Flood Protection. This option configures iptables to offer some\n# protection from tcp SYN packet DOS attempts. You should set the RATE so that\n# false-positives are kept to a minimum otherwise visitors may see connection\n# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables\n# man page for the correct --limit rate syntax\n#\n# Note: This option should ONLY be enabled if you know you are under a SYN\n# flood attack as it will slow down all new connections from any IP address to\n# the server if triggered\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\n\n# Connection Limit Protection. This option configures iptables to offer more\n# protection from DOS attacks against specific ports. It can also be used as a\n# way to simply limit resource usage by IP address to specific server services.\n# This option limits the number of concurrent new connections per IP address\n# that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Connection Limit Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nCONNLIMIT = \"\"\n\n# Port Flood Protection. This option configures iptables to offer protection\n# from DOS attacks against specific ports. This option limits the number of\n# new connections per time interval that can be made to specific ports\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Flood Protection\n# section of the csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\nPORTFLOOD = \"\"\n\n# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.\n# These typically originate from exploit scripts uploaded through vulnerable\n# web scripts. Care should be taken on servers that use services that utilise\n# high levels of UDP outbound traffic, such as SNMP, so you may need to alter\n# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment\n#\n# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\n\n# This is a list of usernames that should not be rate limited, such as \"named\"\n# to prevent bind traffic from being limited.\n#\n# Note: root (UID:0) is always allowed\nUDPFLOOD_ALLOWUSER = \"named\"\n\n###############################################################################\n# SECTION:Logging Settings\n###############################################################################\n# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the\n# perl module Sys::Syslog installed to use this feature\nSYSLOG = \"0\"\n\n# Drop target for incoming iptables rules. This can be set to either DROP or\n# REJECT. REJECT will send back an error packet, DROP will not respond at all.\n# REJECT is more polite, however it does provide extra information to a hacker\n# and lets them know that a firewall is blocking their attempts. DROP hangs\n# their connection, thereby frustrating attempts to port scan the server\nDROP = \"DROP\"\n\n# Drop target for outgoing iptables rules. This can be set to either DROP or\n# REJECT as with DROP, however as such connections are from this server it is\n# better to REJECT connections to closed ports rather than to DROP them. This\n# helps to immediately free up server resources rather than tying them up until\n# a connection times out. It also tells the process making the connection that\n# it has immediately failed\n#\n# It is possible that some monolithic kernels may not support the REJECT\n# target. If this is the case, csf checks before using REJECT and falls back to\n# using DROP, issuing a warning to set this to DROP instead\nDROP_OUT = \"REJECT\"\n\n# Enable logging of dropped connections to blocked ports to syslog, usually\n# /var/log/messages. This option needs to be enabled to use Port Scan Tracking\nDROP_LOGGING = \"1\"\n\n# Enable logging of dropped incoming connections from blocked IP addresses\n#\n# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)\nDROP_IP_LOGGING = \"0\"\n\n# Enable logging of dropped outgoing connections\n#\n# Note: Only outgoing SYN packets for TCP connections are logged, other\n# protocols log all packets\n#\n# We recommend that you enable this option\nDROP_OUT_LOGGING = \"1\"\n\n# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting\n# out (where available) which can help track abuse\nDROP_UID_LOGGING = \"1\"\n\n# Only log incoming reserved port dropped connections (0:1023). This can reduce\n# the amount of log noise from dropped connections, but will affect options\n# such as Port Scan Tracking (PS_INTERVAL)\nDROP_ONLYRES = \"0\"\n\n# Commonly blocked ports that you do not want logging as they tend to just fill\n# up the log file. These ports are specifically blocked (applied to TCP and UDP\n# protocols) for incoming connections\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\n\n# Log packets dropped by the packet filtering option PACKET_FILTER\nDROP_PF_LOGGING = \"0\"\n\n# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If\n# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP\n# addresses breaking the Connection Limit Protection will be blocked\nCONNLIMIT_LOGGING = \"0\"\n\n# Enable logging of UDP floods. This should be enabled, especially with User ID\n# Tracking enabled\nUDPFLOOD_LOGGING = \"1\"\n\n# Send an alert if log file flooding is detected which causes lfd to skip log\n# lines to prevent lfd from looping. If this alert is sent you should check the\n# reported log file for the reason for the flooding\nLOGFLOOD_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Reporting Settings\n###############################################################################\n# By default, lfd will send alert emails using the relevant alert template to\n# the To: address configured within that template. Setting the following\n# option will override the configured To: field in all lfd alert emails\n#\n# Leave this option empty to use the To: field setting in each alert template\nLF_ALERT_TO = \"\"\n\n# By default, lfd will send alert emails using the relevant alert template from\n# the From: address configured within that template. Setting the following\n# option will override the configured From: field in all lfd alert emails\n#\n# Leave this option empty to use the From: field setting in each alert template\nLF_ALERT_FROM = \"\"\n\n# By default, lfd will send all alerts using the SENDMAIL binary. To send using\n# SMTP directly, you can set the following to a relaying SMTP server, e.g.\n# \"127.0.0.1\". Leave this setting blank to use SENDMAIL\nLF_ALERT_SMTP = \"\"\n\n# Block Reporting. lfd can run an external script when it performs and IP\n# address block following for example a login failure. The following setting\n# is to the full path of the external script which must be executable. See\n# readme.txt for format details\n#\n# Leave this setting blank to disable\nBLOCK_REPORT = \"\"\n\n# To also run an external script when a temporary block is unblocked. The\n# following setting can be the full path of the external script which must be\n# executable. See readme.txt for format details\n#\n# Leave this setting blank to disable\nUNBLOCK_REPORT = \"\"\n\n# In addition to the standard lfd email alerts, you can additionally enable the\n# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only\n# block alert messages will be sent. The reports use our schema at:\n# https://download.configserver.com/abuse_login-attack_0.2.json\n#\n# These reports are in a format accepted by many Netblock owners and should\n# help them investigate abuse. This option is not designed to automatically\n# forward these reports to the Netblock owners and should be checked for\n# false-positive blocks before reporting\n#\n# If available, the report will also include the abuse contact for the IP from\n# the Abusix Contact DB: https://abusix.com/contactdb.html\n#\n# Note: The following block types are not reported through this feature:\n# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT\nX_ARF = \"0\"\n\n# By default, lfd will send emails from the root forwarder. Setting the\n# following option will override this\nX_ARF_FROM = \"\"\n\n# By default, lfd will send emails to the root forwarder. Setting the following\n# option will override this\nX_ARF_TO = \"\"\n\n# If you want to automatically send reports to the abuse contact where found,\n# you can enable the following option\n#\n# Note: You MUST set X_ARF_FROM to a valid email address for this option to\n# work. This is so that the abuse contact can reply to the report\n#\n# However, you should be aware that without manual checking you could be\n# reporting innocent IP addresses, including your own clients, yourself and\n# your own servers\n#\n# Additionally, just because a contact address is found, does not mean that\n# there is anyone on the end of it reading, processing or acting on such\n# reports and you could conceivably reported for sending spam\n#\n# We do not recommend enabling this option. Abuse reports should be checked and\n# verified before being forwarded to the abuse contact\nX_ARF_ABUSE = \"0\"\n\n###############################################################################\n# SECTION:Temp to Perm/Netblock Settings\n###############################################################################\n# Temporary to Permanent IP blocking. The following enables this feature to\n# permanently block IP addresses that have been temporarily blocked more than\n# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set\n# LF_PERMBLOCK to \"1\" to enable this feature\n#\n# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be\n# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting\n# (TTL) for blocked IPs, to be effective\n#\n# Set LF_PERMBLOCK to \"0\" to disable this feature\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\n\n# Permanently block IPs by network class. The following enables this feature\n# to permanently block classes of IP address where individual IP addresses\n# within the same class LF_NETBLOCK_CLASS have already been blocked more than\n# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set\n# LF_NETBLOCK to \"1\" to enable this feature\n#\n# This can be an affective way of blocking DDOS attacks launched from within\n# the same network class\n#\n# Valid settings for LF_NETBLOCK_CLASS are \"A\", \"B\" and \"C\", care and\n# consideration is required when blocking network classes A or B\n#\n# Set LF_NETBLOCK to \"0\" to disable this feature\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\n\n# Valid settings for LF_NETBLOCK_IPV6 are \"/64\", \"/56\", \"/48\", \"/32\" and \"/24\"\n# Great care should be taken with IPV6 netblock ranges due to the large number\n# of addresses involved\n#\n# To disable IPv6 netblocks set to \"\"\nLF_NETBLOCK_IPV6 = \"\"\n\n###############################################################################\n# SECTION:Global Lists/DYNDNS/Blocklists\n###############################################################################\n# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,\n# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new\n# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT\n# chain, then flush and delete the old dynamic chain and rename the new chain.\n#\n# This prevents a small window of opportunity opening when an update occurs and\n# the dynamic chain is flushed for the new rules.\n#\n# This option should not be enabled on servers with long dynamic chains (e.g.\n# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on\n# Virtuozzo VPS servers with a restricted numiptent value. This is because each\n# chain will effectively be duplicated while the update occurs, doubling the\n# number of iptables rules\nSAFECHAINUPDATE = \"0\"\n\n# If you wish to allow access from dynamic DNS records (for example if your IP\n# address changes whenever you connect to the internet but you have a dedicated\n# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN\n# records in csf.dyndns and then set the following to the number of seconds to\n# poll for a change in the IP address. If the IP address has changed iptables\n# will be updated.\n#\n# If the FQDN has multiple A records then all of the IP addresses will be\n# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will\n# also be allowed.\n# \n# A setting of 600 would check for IP updates every 10 minutes. Set the value\n# to 0 to disable the feature\nDYNDNS = \"0\"\n\n# To always ignore DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nDYNDNS_IGNORE = \"0\"\n\n# The follow Global options allow you to specify a URL where csf can grab a\n# centralised copy of an IP allow or deny block list of your own. You need to\n# specify the full URL in the following options, i.e.:\n# http://www.somelocation.com/allow.txt\n#\n# The actual retrieval of these IP's is controlled by lfd, so you need to set\n# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd\n# will perform the retrieval when it runs and then again at the specified\n# interval. A sensible interval would probably be every 3600 seconds (1 hour).\n# A minimum value of 300 is enforced for LF_GLOBAL if enabled\n#\n# You do not have to specify both an allow and a deny file\n#\n# You can also configure a global ignore file for IP's that lfd should ignore\nLF_GLOBAL = \"0\"\n\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\n\n# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set\n# this to the URL of the file containing DYNDNS entries\nGLOBAL_DYNDNS = \"\"\n\n# Set the following to the number of seconds to poll for a change in the IP\n# address resoved from GLOBAL_DYNDNS\nGLOBAL_DYNDNS_INTERVAL = \"600\"\n\n# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following\n# option to 1\nGLOBAL_DYNDNS_IGNORE = \"0\"\n\n# Blocklists are controlled by modifying /etc/csf/csf.blocklists\n#\n# If you don't want BOGON rules applied to specific NICs, then list them in\n# a comma separated list (e.g \"eth1,eth2\")\nLF_BOGON_SKIP = \"\"\n\n# The following option can be used to select the method csf will use to\n# retrieve URL data and files\n#\n# This can be set to use:\n#\n# 1. Perl module HTTP::Tiny\n# 2. Perl module LWP::UserAgent\n# 3. CURL/WGET (set location at the bottom of csf.conf if installed)\n#\n# HTTP::Tiny is much faster than LWP::UserAgent and is included in the csf\n# distribution. LWP::UserAgent may have to be installed manually, but it can\n# better support https:// URL's which also needs the LWP::Protocol::https perl\n# module\n#\n# CURL/WGET uses the system binaries if installed but does not always provide\n# good feedback when it fails. The script will first look for CURL, if that\n# does not exist at the configured location it will then look for WGET\n#\n# Additionally, 1 or 2 are used and the retrieval fails, then if either CURL or\n# WGET are available, an additional attempt will be using CURL/WGET. This is\n# useful if the perl distribution has outdated modules that do not support\n# modern SSL/TLS implementations\n#\n# To install the LWP perl modules required:\n#\n# On rpm based systems:\n# \n# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch\n#\n# On APT based systems:\n#\n# apt-get install libwww-perl liblwp-protocol-https-perl\n#\n# Via cpan:\n#\n# perl -MCPAN -eshell\n# cpan> install LWP LWP::Protocol::https\n#\n# We recommend setting this set to \"2\" or \"3\" as upgrades to csf will be\n# performed over SSL as well as other URLs used when retrieving external data\n#\n# \"1\" = HTTP::Tiny\n# \"2\" = LWP::UserAgent\n# \"3\" = CURL/WGET (set location at the bottom of csf.conf)\nURLGET = \"2\"\n\n# If you need csf/lfd to use a proxy, then you can set this option to the URL\n# of the proxy. The proxy provided will be used for both HTTP and HTTPS\n# connections\nURLPROXY = \"\"\n\n###############################################################################\n# SECTION:Country Code Lists and Settings\n###############################################################################\n# Country Code to CIDR allow/deny. In the following options you can allow or\n# deny whole country CIDR ranges. The CIDR blocks are obtained from a selected\n# source below. They also display Country Code Country and City for reported IP\n# addresses and lookups\n#\n# There are a number of sources for these databases, before utilising them you\n# need to visit each site and ensure you abide by their license provisions\n# where stated:\n\n# 1. MaxMind\n#\n# MaxMind GeoLite2 Country/City and ASN databases at:\n# https://dev.MaxMind.com/geoip/geoip2/geolite2/\n# This feature relies entirely on that service being available\n#\n# Advantages: This is a one stop shop for all of the databases required for\n# these features. They provide a consistent dataset for blocking and reporting\n# purposes\n#\n# Disadvantages: MaxMind require a license key to download their databases.\n# This is free of charge, but requires the user to create an account on their\n# website to generate the required key:\n#\n# WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their\n# site and to generate a license key to use their databases. See:\n# https://www.maxmind.com/en/geolite2/signup\n# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/\n# \n# You MUST set the following to continue using the IP lookup features of csf,\n# otherwise an error will be generated and the features will not work.\n# Alternatively set CC_SRC below to a different provider\n#\n# MaxMind License Key:\nMM_LICENSE_KEY = \"\"\n\n# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\n\n# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\n\n# An alternative to CC_ALLOW is to only allow access from the following\n# countries but still filter based on the port and packets rules. All other\n# connections are dropped\nCC_ALLOW_FILTER = \"\"\n\n# This option allows access from the following countries to specific ports\n# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow blocking of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_ALLOW_PORTS = \"\"\n\n# All listed ports should be removed from TCP_IN/UDP_IN to block access from\n# elsewhere. This option uses the same format as TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN\n# then only countries listed in CC_ALLOW_PORTS can access FTP\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\n\n# This option denies access from the following countries to specific ports\n# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP\n#\n# Note: The rules for this feature are inserted after the allow and deny\n# rules to still allow allowing of IP addresses\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY_PORTS = \"\"\n\n# This option uses the same format as TCP_IN/UDP_IN. The ports listed should\n# NOT be removed from TCP_IN/UDP_IN\n#\n# An example would be to list port 21 here then countries listed in\n# CC_DENY_PORTS cannot access FTP\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\n\n# This Country Code list will prevent lfd from blocking IP address hits for the\n# listed CC's\n#\n# CC_LOOKUPS must be enabled to use this option\nCC_IGNORE = \"\"\n\n# This Country Code list will only allow SMTP AUTH to be advertised to the\n# listed countries in EXIM. This is to help limit attempts at distributed\n# attacks against SMTP AUTH which are difficult to achive since port 25 needs\n# to be open to relay email\n#\n# The reason why this works is that if EXIM does not advertise SMTP AUTH on a\n# connection, then SMTP AUTH will not accept logins, defeating the attacks\n# without restricting mail relaying\n#\n# This option can generate a very large list of IP addresses that could easily\n# severely impact on SMTP (mail) performance, so care must be taken when\n# selecting countries and if performance issues ensue\n#\n# The option SMTPAUTH_RESTRICT must be enabled to use this option\nCC_ALLOW_SMTPAUTH = \"\"\n\n# These options can control which IP blocks are redirected to the MESSENGER\n# service, if it is enabled\n#\n# If Country Codes are listed in CC_MESSENGER_ALLOW, then only a blocked IP\n# that resolves to one of those Country Codes will be redirected to the\n# MESSENGER service\n#\n# If Country Codes are listed in CC_MESSENGER_DENY, then a blocked IP that\n# resolves to one of those Country Codes will NOT be redirected to the\n# MESSENGER service\n#\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\n\n# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller\n# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can\n# help reduce the number of CC entries and may improve iptables throughput.\n# Obviously, this will deny/allow fewer IP addresses depending on how small you\n# configure the option\n#\n# For example, to ignore all CIDR (and single IP) entries small than a /16, set\n# this option to \"16\". Set to \"\" to block all CC IP addresses\nCC_DROP_CIDR = \"\"\n\n# Display Country Code and Country for reported IP addresses. This option can\n# be configured to use the databases enabled at the top of this section. An\n# additional option is also available if you cannot use those databases:\n#\n# \"0\" - disable\n# \"1\" - Reports: Country Code and Country\n# \"2\" - Reports: Country Code and Country and Region and City\n# \"3\" - Reports: Country Code and Country and Region and City and ASN\n# \"4\" - Reports: Country Code and Country and Region and City (db-ip.com)\n#\n# Note: \"4\" does not use the databases enabled at the top of this section\n# directly for lookups. Instead it uses a URL-based lookup from\n# https://db-ip.com and so avoids having to download and process the large\n# databases. Please visit the https://db-ip.com and read their limitations and\n# understand that this option will either cease to function or be removed by us\n# if that site is abused or overloaded. ONLY use this option if you have\n# difficulties using the databases enabled at the top of this section. This\n# option is ONLY for IP lookups, NOT when using the CC_* options above, which\n# will continue to use the databases enabled at the top of this section\n#\nCC_LOOKUPS = \"1\"\n\n# Display Country Code and Country for reported IPv6 addresses using the\n# databases enabled at the top of this section\n#\n# \"0\" - disable\n# \"1\" - enable and report the detail level as specified in CC_LOOKUPS\n#\n# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and\n# PORTFLOOD\nCC6_LOOKUPS = \"0\"\n\n# This option tells lfd how often to retrieve the databases for CC_ALLOW,\n# CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in days)\nCC_INTERVAL = \"14\"\n\n###############################################################################\n# SECTION:Login Failure Blocking and Alerts\n###############################################################################\n# The following[*] triggers are application specific. If you set LF_TRIGGER to\n# \"0\" the value of each trigger is the number of failures against that\n# application that will trigger lfd to block the IP address\n#\n# If you set LF_TRIGGER to a value greater than \"0\" then the following[*]\n# application triggers are simply on or off (\"0\" or \"1\") and the value of\n# LF_TRIGGER is the total cumulative number of failures that will trigger lfd\n# to block the IP address\n#\n# Setting the application trigger to \"0\" disables it\nLF_TRIGGER = \"0\"\n\n# If LF_TRIGGER is > \"0\" then LF_TRIGGER_PERM can be set to \"1\" to permanently\n# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than\n# \"1\" and the IP address will be blocked temporarily for that value in seconds.\n# For example:\n# LF_TRIGGER_PERM = \"1\" => the IP is blocked permanently\n# LF_TRIGGER_PERM = \"3600\" => the IP is blocked temporarily for 1 hour\n#\n# If LF_TRIGGER is \"0\", then the application LF_[application]_PERM value works\n# in the same way as above and LF_TRIGGER_PERM serves no function\nLF_TRIGGER_PERM = \"1\"\n\n# To only block access to the failed application instead of a complete block\n# for an ip address, you can set the following to \"1\", but LF_TRIGGER must be\n# set to \"0\" with specific application[*] trigger levels also set appropriately\n#\n# The ports that are blocked can be configured by changing the PORTS_* options\nLF_SELECT = \"0\"\n\n# Send an email alert if an IP address is blocked by one of the [*] triggers\nLF_EMAIL_ALERT = \"1\"\n\n# Send an email alert if an IP address is only temporarily blocked by one of\n# the [*] triggers\n#\n# Note: LF_EMAIL_ALERT must still be enabled to get permanent block emails\nLF_TEMP_EMAIL_ALERT = \"1\"\n\n# [*]Enable login failure detection of sshd connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\n\n# [*]Enable login failure detection of ftp connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\n\n# [*]Enable login failure detection of SMTP AUTH connections\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\n\n# [*]Enable syntax failure detection of Exim connections\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\n\n# [*]Enable login failure detection of pop3 connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\n\n# [*]Enable login failure detection of imap connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\n\n# [*]Enable login failure detection of Apache .htpasswd connections\n# Due to the often high logging rate in the Apache error log, you might want to\n# enable this option only if you know you are suffering from attacks against\n# password protected directories\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\n\n# [*]Enable failure detection of repeated Apache mod_security rule triggers\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\n\n# [*]Enable detection of repeated BIND denied requests\n# This option should be enabled with care as it will prevent blocked IPs from\n# resolving any domains on the server. You might want to set the trigger value\n# reasonably high to avoid this\n# Example: LF_BIND = \"100\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\n\n# [*]Enable detection of repeated suhosin ALERTs\n# Example: LF_SUHOSIN = \"5\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\n\n# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers\n# This option will block IP addresses if cxs detects a hits from the\n# ModSecurity rule associated with it\n#\n# Note: This option takes precedence over LF_MODSEC and removes any hits\n# counted towards LF_MODSEC for the cxs rule\n#\n# This setting should probably set very low, perhaps to 1, if you want to\n# effectively block IP addresses for this trigger option\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache mod_qos rule triggers\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\n\n# [*]Enable detection of repeated Apache symlink race condition triggers from\n# the Apache patch provided by:\n# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html\n# This patch has also been included by cPanel via the easyapache option:\n# \"Symlink Race Condition Protection\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\n\n# [*]Enable login failure detection of webmin connections\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\n\n# Send an email alert if anyone logs in successfully using SSH\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SSH_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses su to access another account. This will\n# send an email alert whether the attempt to use su was successful or not\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SU_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone uses sudo to access another account. This will\n# send an email alert whether the attempt to use sudo was successful or not\n#\n# NOTE: This option could become onerous if sudo is used extensively for root\n# access by administrators or control panels. It is provided for those where\n# this is not the case\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_SUDO_EMAIL_ALERT = \"0\"\n\n# Send an email alert if anyone accesses webmin\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_WEBMIN_EMAIL_ALERT = \"1\"\n\n# Send an email alert if anyone logs in successfully to root on the console\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_CONSOLE_EMAIL_ALERT = \"1\"\n\n# This option will keep track of the number of \"File does not exist\" errors in\n# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL\n# seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_404 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_404_PERM = \"3600\"\n\n# This option will keep track of the number of \"client denied by server\n# configuration\" errors in HTACCESS_LOG. If the number of hits is more than\n# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked\n#\n# Care should be used with this option as it could generate many\n# false-positives, especially Search Bots (use csf.rignore to ignore such bots)\n# so only use this option if you know you are under this type of attack\n#\n# A sensible setting for this would be quite high, perhaps 200\n#\n# To disable set to \"0\"\nLF_APACHE_403 = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_403_PERM = \"3600\"\n\n# This option will keep track of the number of 401 failures in HTACCESS_LOG.\n# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then\n# the IP address will be blocked\n#\n# To disable set to \"0\"\nLF_APACHE_401 = \"0\"\n\n# This option is used to determine if the Apache error_log format contains the\n# client port after the client IP. In Apache prior to v2.4, this was not the\n# case. In Apache v2.4+ the error_log format can be configured using\n# ErrorLogFormat, making the port directive optional\n#\n# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next\n# to the client IP by default. This makes determining client IPv6 addresses\n# difficult unless we know whether the port is being appended or not\n#\n# lfd will attempt to autodetect the correct value if this option is set to \"0\"\n# from the httpd binary found in common locations. If it fails to find a binary\n# it will be set to \"2\", unless specified here\n#\n# The value can be set here explicitly if the autodetection does not work:\n# 0 - autodetect\n# 1 - no port directive after client IP\n# 2 - port directive after client IP\nLF_APACHE_ERRPORT = \"0\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_APACHE_401_PERM = \"3600\"\n\n# This option will send an alert if the ModSecurity IP persistent storage grows\n# excessively large: https://goo.gl/rGh5sF\n#\n# More information on cPanel servers here: https://goo.gl/vo6xTE\n#\n# LF_MODSECIPDB_FILE must be set to the correct location of the database file\n#\n# The check is performed at lfd startup and then once per hour, the template\n# used is modsecipdbalert.txt\n#\n# Set to \"0\" to disable this option, otherwise it is the threshold size of the\n# file to report in gigabytes, e.g. set to 5 for 5GB\nLF_MODSECIPDB_ALERT = \"0\"\n\n# This is the location of the persistent IP storage file on the server, e.g.:\n# /var/run/modsecurity/data/ip.pag\n# /var/cpanel/secdatadir/ip.pag\n# /var/cache/modsecurity/ip.pag\n# /usr/local/apache/conf/modsec/data/msa/ip.pag\n# /var/tmp/ip.pag\n# /tmp/ip.pag\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\n\n# System Exploit Checking. This option is designed to perform a series of tests\n# to send an alert in case a possible server compromise is detected\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 300 would seem sensible).\n#\n# To disable set to \"0\"\nLF_EXPLOIT = \"300\"\n\n# This comma separated list allows you to ignore tests LF_EXPLOIT performs\n#\n# For the SUPERUSER check, you can list usernames in csf.suignore to have them\n# ignored for that test\n#\n# Valid tests are:\n# SUPERUSER\n#\n# If you want to ignore a test add it to this as a comma separated list, e.g.\n# \"SUPERUSER\"\nLF_EXPLOIT_IGNORE = \"\"\n\n# Set the time interval to track login and other LF_ failures within (seconds),\n# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds\nLF_INTERVAL = \"3600\"\n\n# This is how long the lfd process sleeps (in seconds) before processing the\n# log file entries and checking whether other events need to be triggered\nLF_PARSE = \"5\"\n\n# This is the interval that is used to flush reports of usernames, files and\n# pids so that persistent problems continue to be reported, in seconds.\n# A value of 3600 seems sensible\nLF_FLUSH = \"3600\"\n\n# Under some circumstances iptables can fail to include a rule instruction,\n# especially if more than one request is made concurrently. In this event, a\n# permanent block entry may exist in csf.deny, but not in iptables.\n#\n# This option instructs csf to deny an already blocked IP address the number\n# of times set. The downside, is that there will be multiple entries for an IP\n# address in csf.deny and possibly multiple rules for the same IP address in\n# iptables. This needs to be taken into consideration when unblocking such IP\n# addresses.\n#\n# Set to \"0\" to disable this feature. Do not set this too high for the reasons\n# detailed above (e.g. \"5\" should be more than enough)\nLF_REPEATBLOCK = \"0\"\n\n# By default csf will create both an inbound and outbound blocks from/to an IP\n# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most\n# effective way to block IP traffic. This option instructs csf to only block\n# inbound traffic from those IP's and so reduces the number of iptables rules,\n# but at the expense of less effectiveness. For this reason we recommend\n# leaving this option disabled\n# \n# Set to \"0\" to disable this feature - the default\nLF_BLOCKINONLY = \"0\"\n\n###############################################################################\n# SECTION:CloudFlare\n###############################################################################\n# This features provides interaction with the CloudFlare Firewall\n#\n# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as \n# iptables is concerned) come from the CloudFlare IP's. To counter this, an\n# Apache module (mod_cloudflare) is available that obtains the true attackers\n# IP from a custom HTTP header record (similar functionality is available\n# for other HTTP daemons\n#\n# However, despite now knowing the true attacking IP address, iptables cannot\n# be used to block that IP as the traffic is still coming from the CloudFlare\n# servers\n#\n# CloudFlare have provided a Firewall feature within the user account where\n# rules can be added to block, challenge or whitelist IP addresses\n#\n# Using the CloudFlare API, this feature adds and removes attacking IPs from\n# that firewall and provides CLI (and via the UI) additional commands\n#\n# See /etc/csf/readme.txt for more information about this feature and the\n# restrictions for its use BEFORE enabling this feature\nCF_ENABLE = \"0\"\n\n# This can be set to either \"block\" or \"challenge\" (see CloudFlare docs)\nCF_BLOCK = \"block\"\n\n# This setting determines how long the temporary block will apply within csf\n# and CloudFlare, keeping them in sync\n#\n# Block duration in seconds - overrides perm block or time of individual blocks\n# in lfd for block triggers\nCF_TEMP = \"3600\"\n\n###############################################################################\n# SECTION:Directory Watching & Integrity \n###############################################################################\n# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm\n# directories for suspicious files, i.e. script exploits. If a suspicious\n# file is found an email alert is sent. One alert per file per LF_FLUSH\n# interval is sent\n#\n# To enable this feature set the following to the checking interval in seconds.\n# To disable set to \"0\"\nLF_DIRWATCH = \"300\"\n\n# To remove any suspicious files found during directory watching, enable the\n# following. These files will be appended to a tarball in\n# /var/lib/csf/suspicious.tar\nLF_DIRWATCH_DISABLE = \"0\"\n\n# This option allows you to have lfd watch a particular file or directory for\n# changes and should they change and email alert using watchalert.txt is sent\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 60 would seem sensible) and add your entries to csf.dirwatch\n#\n# Set to disable set to \"0\"\nLF_DIRWATCH_FILE = \"0\"\n\n# System Integrity Checking. This enables lfd to compare md5sums of the\n# servers OS binary application files from the time when lfd starts. If the\n# md5sum of a monitored file changes an alert is sent. This option is intended\n# as an IDS (Intrusion Detection System) and is the last line of detection for\n# a possible root compromise.\n#\n# There will be constant false-positives as the servers OS is updated or\n# monitored application binaries are updated. However, unexpected changes\n# should be carefully inspected.\n#\n# Modified files will only be reported via email once.\n#\n# To enable this feature set the following to the checking interval in seconds\n# (a value of 3600 would seem sensible). This option may increase server I/O\n# load onto the server as it checks system binaries.\n#\n# To disable set to \"0\"\nLF_INTEGRITY = \"3600\"\n\n###############################################################################\n# SECTION:Distributed Attacks\n###############################################################################\n# Distributed Account Attack. This option will keep track of login failures\n# from distributed IP addresses to a specific application account. If the\n# number of failures matches the trigger value above, ALL of the IP addresses\n# involved in the attack will be blocked according to the temp/perm rules above\n#\n# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, \n# LF_HTACCESS\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTATTACK = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTATTACK\nLF_DISTATTACK_UNIQ = \"2\"\n\n# Distributed FTP Logins. This option will keep track of successful FTP logins.\n# If the number of successful logins to an individual account is at least\n# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,\n# then all of the IP addresses will be blocked\n#\n# This option can help mitigate the common FTP account compromise attacks that\n# use a distributed network of zombies to deface websites\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLF_DISTFTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work\nLF_DISTFTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTFTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTFTP is triggered\nLF_DISTFTP_ALERT = \"1\"\n\n# Distributed SMTP Logins. This option will keep track of successful SMTP\n# logins. If the number of successful logins to an individual account is at\n# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP\n# addresses, then all of the IP addresses will be blocked. These options only\n# apply to the exim MTA\n#\n# This option can help mitigate the common SMTP account compromise attacks that\n# use a distributed network of zombies to send spam\n#\n# A sensible setting for this might be 5, depending on how many different\n# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL\n#\n# To disable set to \"0\"\nLF_DISTSMTP = \"0\"\n\n# Set the following to the minimum number of unique IP addresses that trigger\n# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work\nLF_DISTSMTP_UNIQ = \"3\"\n\n# If this option is set to 1 the blocks will be permanent\n# If this option is > 1, the blocks will be temporary for the specified number\n# of seconds\nLF_DISTSMTP_PERM = \"1\"\n\n# Send an email alert if LF_DISTSMTP is triggered\nLF_DISTSMTP_ALERT = \"1\"\n\n# This is the interval during which a distributed FTP or SMTP attack is\n# measured\nLF_DIST_INTERVAL = \"300\"\n\n# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the\n# path to a script, it will run the script and pass the following as arguments:\n#\n# LF_DISTFTP/LF_DISTSMTP\n# account name\n# log file text\n#\n# The action script must have the execute bit and interpreter (shebang) set\nLF_DIST_ACTION = \"\"\n\n###############################################################################\n# SECTION:Login Tracking\n###############################################################################\n# Block POP3 logins if greater than LT_POP3D times per hour per account per IP\n# address (0=disabled)\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_POP3D = \"0\"\n\n# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP\n# address (0=disabled) - not recommended for IMAP logins due to the ethos\n# within which IMAP works. If you want to use this, setting it quite high is\n# probably a good idea\n#\n# This is a temporary block for the rest of the hour, afterwhich the IP is\n# unblocked\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nLT_IMAPD = \"0\"\n\n# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour\n# per IP\nLT_EMAIL_ALERT = \"1\"\n\n# If LF_PERMBLOCK is enabled but you do not want this to apply to\n# LT_POP3D/LT_IMAPD, then enable this option\nLT_SKIPPERMBLOCK = \"0\"\n\n###############################################################################\n# SECTION:Connection Tracking\n###############################################################################\n# Connection Tracking. This option enables tracking of all connections from IP\n# addresses to the server. If the total number of connections is greater than\n# this value then the offending IP address is blocked. This can be used to help\n# prevent some types of DOS attack.\n#\n# Care should be taken with this option. It's entirely possible that you will\n# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD\n# and HTTP so it could be quite easy to trigger, especially with a lot of\n# closed connections in TIME_WAIT. However, for a server that is prone to DOS\n# attacks this may be very useful. A reasonable setting for this option might\n# be around 300.\n#\n# To disable this feature, set this to 0\nCT_LIMIT = \"0\"\n\n# Connection Tracking interval. Set this to the the number of seconds between\n# connection tracking scans\nCT_INTERVAL = \"30\"\n\n# Send an email alert if an IP address is blocked due to connection tracking\nCT_EMAIL_ALERT = \"1\"\n\n# If you want to make IP blocks permanent then set this to 1, otherwise blocks\n# will be temporary and will be cleared after CT_BLOCK_TIME seconds\nCT_PERMANENT = \"0\"\n\n# If you opt for temporary IP blocks for CT, then the following is the interval\n# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)\nCT_BLOCK_TIME = \"1800\"\n\n# If you don't want to count the TIME_WAIT state against the connection count\n# then set the following to \"1\"\nCT_SKIP_TIME_WAIT = \"0\"\n\n# If you only want to count specific states (e.g. SYN_RECV) then add the states\n# to the following as a comma separated list. E.g. \"SYN_RECV,TIME_WAIT\"\n#\n# Leave this option empty to count all states against CT_LIMIT\nCT_STATES = \"\"\n\n# If you only want to count specific ports (e.g. 80,443) then add the ports\n# to the following as a comma separated list. E.g. \"80,443\"\n#\n# Leave this option empty to count all ports against CT_LIMIT\nCT_PORTS = \"\"\n\n# If the total number of connections from a class C subnet is greater than this\n# value then the offending subnet is blocked according to the other CT_*\n# settings\n#\n# This option can be used to help prevent some types of DOS attack where a\n# range of IP's between x.y.z.1-255 has connected to the server\n#\n# If you use a reverse proxy service such as Cloudflare you should not enable\n# this option, or should exclude the ports that you have proxied in CT_PORTS\n#\n# To disable this feature, set this to 0\nCT_SUBNET_LIMIT = \"0\"\n\n###############################################################################\n# SECTION:Process Tracking\n###############################################################################\n# Process Tracking. This option enables tracking of user and nobody processes\n# and examines them for suspicious executables or open network ports. Its\n# purpose is to identify potential exploit processes that are running on the\n# server, even if they are obfuscated to appear as system services. If a\n# suspicious process is found an alert email is sent with relevant information.\n# It is then the responsibility of the recipient to investigate the process\n# further as the script takes no further action\n#\n# The following is the number of seconds a process has to be active before it\n# is inspected. If you set this time too low, then you will likely trigger\n# false-positives with CGI or PHP scripts.\n# Set the value to 0 to disable this feature\nPT_LIMIT = \"60\"\n\n# How frequently processes are checked in seconds\nPT_INTERVAL = \"60\"\n\n# If you want process tracking to highlight php or perl scripts that are run\n# through apache then disable the following,\n# i.e. set it to 0\n#\n# While enabling this setting will reduce false-positives, having it set to 0\n# does provide better checking for exploits running on the server\nPT_SKIP_HTTP = \"0\"\n\n# lfd will report processes, even if they're listed in csf.pignore, if they're\n# tagged as (deleted) by Linux. This information is provided in Linux under\n# /proc/PID/exe. A (deleted) process is one that is running a binary that has\n# the inode for the file removed from the file system directory. This usually\n# happens when the binary has been replaced due to an upgrade for it by the OS\n# vendor or another third party (e.g. cPanel). You need to investigate whether\n# this is indeed the case to be sure that the original binary has not been\n# replaced by a rootkit or is running an exploit.\n#\n# Note: If a deleted executable process is detected and reported then lfd will\n# not report children of the parent (or the parent itself if a child triggered\n# the report) if the parent is also a deleted executable process\n#\n# To stop lfd reporting such process you need to restart the daemon to which it\n# belongs and therefore run the process using the replacement binary (presuming\n# one exists). This will normally mean running the associated startup script in\n# /etc/init.d/\n#\n# If you do want lfd to report deleted binary processes, set to 1\nPT_DELETED = \"0\"\n\n# If a PT_DELETED event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the executable, pid,\n# account for the process, and parent pid\n#\n# The action script must have the execute bit and interpreter (shebang) set. An\n# example is provided in /usr/local/csf/bin/pt_deleted_action.pl\n#\n# WARNING: Make sure you read and understand the potential security\n# implications of such processes in PT_DELETED above before simply restarting\n# such processes with a script\nPT_DELETED_ACTION = \"\"\n\n# User Process Tracking. This option enables the tracking of the number of\n# process any given account is running at one time. If the number of processes\n# exceeds the value of the following setting an email alert is sent with\n# details of those processes. If you specify a user in csf.pignore it will be\n# ignored\n#\n# Set to 0 to disable this feature\nPT_USERPROC = \"10\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the virtual memory usage set (MB). To ignore specific processes or users use\n# csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERMEM = \"512\"\n\n# This User Process Tracking option sends an alert if any user process exceeds\n# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific\n# processes or users use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERRSS = \"256\"\n\n# This User Process Tracking option sends an alert if any linux user process\n# exceeds the time usage set (seconds). To ignore specific processes or users\n# use csf.pignore\n#\n# Set to 0 to disable this feature\nPT_USERTIME = \"1800\"\n\n# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or\n# PT_USERPROC are killed\n#\n# Warning: We don't recommend enabling this option unless absolutely necessary\n# as it can cause unexpected problems when processes are suddenly terminated.\n# It can also lead to system processes being terminated which could cause\n# stability issues. It is much better to leave this option disabled and to\n# investigate each case as it is reported when the triggers above are breached\n#\n# Note: Processes that are running deleted excecutables (see PT_DELETED) will\n# not be killed by lfd\nPT_USERKILL = \"0\"\n\n# If you want to disable email alerts if PT_USERKILL is triggered, then set\n# this option to 0\nPT_USERKILL_ALERT = \"1\"\n\n# If a PT_* event is triggered, then if the following contains the path to\n# a script, it will be run in a child process and passed the PID(s) of the\n# process(es) in a comma separated list.\n#\n# The action script must have the execute bit and interpreter (shebang) set\nPT_USER_ACTION = \"\"\n\n# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and\n# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the\n# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is\n# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP\n# seconds has passed to prevent email floods.\n#\n# Set PT_LOAD to \"0\" to disable this feature\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\n\n# This is the Apache Server Status URL used in the email alert. Requires the\n# Apache mod_status module to be installed and configured correctly\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\n\n# If a PT_LOAD event is triggered, then if the following contains the path to\n# a script, it will be run in a child process. For example, the script could\n# contain commands to terminate and restart httpd, php, exim, etc incase of\n# looping processes. The action script must have the execute bit an \n# interpreter (shebang) set\nPT_LOAD_ACTION = \"\"\n\n# Fork Bomb Protection. This option checks the number of processes with the\n# same session id and if greater than the value set, the whole session tree is\n# terminated and an alert sent\n#\n# You can see an example of common session id processes on most Linux systems\n# using: \"ps axf -O sid\"\n#\n# On cPanel servers, PT_ALL_USERS should be enabled to use this option\n# effectively\n#\n# This option will check root owned processes. Session id 0 and 1 will always\n# be ignored as they represent kernel and init processes. csf.pignore will be\n# honoured, but bear in mind that a session tree can contain a variety of users\n# and executables\n#\n# Care needs to be taken to ensure that this option only detects runaway fork\n# bombs, so should be set higher than any session tree is likely to get (e.g.\n# httpd could have 100s of legitimate children on very busy systems). A\n# sensible starting point on most servers might be 250\nPT_FORKBOMB = \"0\"\n\n# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes\n# are often left hanging after their connecting IP addresses have been blocked\n#\n# This option will terminate the SSH processes created by the blocked IP. This\n# option is preferred over PT_SSHDHUNG\nPT_SSHDKILL = \"0\"\n\n# This option will terminate all processes with the cmdline of \"sshd: unknown\n# [net]\" or \"sshd: unknown [priv]\" if they have been running for more than 60\n# seconds\nPT_SSHDHUNG = \"0\"\n\n###############################################################################\n# SECTION:Port Scan Tracking\n###############################################################################\n# Port Scan Tracking. This feature tracks port blocks logged by iptables to\n# syslog. If an IP address generates a port block that is logged more than\n# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.\n#\n# This feature could, for example, be useful for blocking hackers attempting\n# to access the standard SSH port if you have moved it to a port other than 22\n# and have removed 22 from the TCP_IN list so that connection attempts to the\n# old port are being logged\n#\n# This feature blocks all iptables blocks from the iptables logs, including\n# repeated attempts to one port or SYN flood blocks, etc\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will\n# cause redundant blocking with DROP_IP_LOGGING enabled\n#\n# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)\n# could very quickly fill the iptables rule chains and cause a DOS in itself.\n# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks\n# and the DENY_TEMP_IP_LIMIT with temporary blocks\n#\n# Set PS_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# Port Scan Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_IN. The setting of\n# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports\n#\n# Special values are:\n# ICMP - include ICMP blocks (see ICMP_*)\n# INVALID - include INVALID blocks (see PACKET_FILTER)\n# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*\n# BRD - include UDP Broadcast IPs, otherwise they are ignored\nPS_PORTS = \"0:65535,ICMP\"\n\n# To specify how many different ports qualifies as a Port Scan you can increase\n# the following from the default value of 1. The risk in doing so will mean\n# that persistent attempts to attack a specific closed port will not be\n# detected and blocked\nPS_DIVERSITY = \"1\"\n\n# You can select whether IP blocks for Port Scan Tracking should be temporary\n# or permanent. Set PS_PERMANENT to \"0\" for temporary and \"1\" for permanent\n# blocking. If set to \"0\" PS_BLOCK_TIME is the amount of time in seconds to\n# temporarily block the IP address for\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\n\n# Set the following to \"1\" to enable Port Scan Tracking email alerts, set to\n# \"0\" to disable them\nPS_EMAIL_ALERT = \"1\"\n\n###############################################################################\n# SECTION:User ID Tracking\n###############################################################################\n# User ID Tracking. This feature tracks UID blocks logged by iptables to\n# syslog. If a UID generates a port block that is logged more than UID_LIMIT\n# times within UID_INTERVAL seconds, an alert will be sent\n#\n# Note: This feature will only track iptables blocks from the log file set in\n# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.\n#\n# To ignore specific UIDs list them in csf.uidignore and then restart lfd\n#\n# Set UID_INTERVAL to \"0\" to disable this feature. A value of between 60 and 300\n# would be sensible to enable this feature\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\n\n# You can specify the ports and/or port ranges that should be tracked by the\n# User ID Tracking feature. The following setting is a comma separated list\n# of those ports and uses the same format as TCP_OUT. The default setting of\n# 0:65535,ICMP covers all ports\nUID_PORTS = \"0:65535,ICMP\"\n\n###############################################################################\n# SECTION:Account Tracking\n###############################################################################\n# Account Tracking. The following options enable the tracking of modifications\n# to the accounts on a server. If any of the enabled options are triggered by\n# a modifications to an account, an alert email is sent. Only the modification\n# is reported. The cause of the modification will have to be investigated\n# manually\n#\n# You can set AT_ALERT to the following:\n# 0 = disable this feature\n# 1 = enable this feature for all accounts\n# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)\n# 3 = enable this feature only for the root account\nAT_ALERT = \"2\"\n\n# This options is the interval between checks in seconds\nAT_INTERVAL = \"60\"\n\n# Send alert if a new account is created\nAT_NEW = \"1\"\n\n# Send alert if an existing account is deleted\nAT_OLD = \"1\"\n\n# Send alert if an account password has changed\nAT_PASSWD = \"1\"\n\n# Send alert if an account uid has changed\nAT_UID = \"1\"\n\n# Send alert if an account gid has changed\nAT_GID = \"1\"\n\n# Send alert if an account login directory has changed\nAT_DIR = \"1\"\n\n# Send alert if an account login shell has changed\nAT_SHELL = \"1\"\n\n###############################################################################\n# SECTION:Integrated User Interface\n###############################################################################\n# Integrated User Interface. This feature provides a HTML UI to csf and lfd,\n# without requiring a control panel or web server. The UI runs as a sub process\n# to the lfd daemon\n#\n# As it runs under the root account and successful login provides root access\n# to the server, great care should be taken when configuring and using this\n# feature. There are additional restrictions to enhance secure access to the UI\n#\n# See readme.txt for more information about using this feature BEFORE enabling\n# it for security and access reasons\n# \n# 1 to enable, 0 to disable\nUI = \"1\"\n\n# Set this to the port that want to bind this service to. You should configure\n# this port to be >1023 and different from any other port already being used\n#\n# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's\n# to the port using Advanced Allow Filters (see readme.txt)\nUI_PORT = \"8546\"\n\n# Optionally set the IP address to bind to. Normally this should be left blank\n# to bind to all IP addresses on the server.\n#\n# If the server is configured for IPv6 but the IP to bind to is IPv4, then the\n# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use\n# ::ffff:1.2.3.4\n#\n# Leave blank to bind to all IP addresses on the server\nUI_IP = \"\"\n\n# This should be a secure, hard to guess username\n# \n# This must be changed from the default\nUI_USER = \"admin\"\n\n# This should be a secure, hard to guess password. That is, at least 8\n# characters long with a mixture of upper and lowercase characters plus \n# numbers and non-alphanumeric characters\n#\n# This must be changed from the default\nUI_PASS = \"password\"\n\n# This is the login session timeout. If there is no activity for a logged in\n# session within this number of seconds, the session will timeout and a new\n# login will be required\n#\n# For security reasons, you should always keep this option low (i.e 60-300)\nUI_TIMEOUT = \"300\"\n\n# This is the maximum concurrent connections allowed to the server. The default\n# value should be sufficient\nUI_CHILDREN = \"5\"\n\n# The number of login retries allowed within a 24 hour period. A successful\n# login from the IP address will clear the failures\n#\n# For security reasons, you should always keep this option low (i.e 0-10)\nUI_RETRY = \"5\"\n\n# If enabled, this option will add the connecting IP address to the file \n# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be\n# able to login to the UI while it is listed in this file. The UI_BAN setting\n# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,\n# csf.ignore, etc.\n#\n# For security reasons, you should always enable this option\nUI_BAN = \"1\"\n\n# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will\n# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of\n# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.\n#\n# For security reasons, you should always enable this option and use ui.allow\nUI_ALLOW = \"1\"\n\n# If enabled, this option will trigger an iptables block through csf after\n# UI_RETRY login failures\n#\n# 0 = no block;1 = perm block;nn=temp block for nn secs\nUI_BLOCK = \"1\"\n\n# This controls what email alerts are sent with regards to logins to the UI. It\n# uses the uialert.txt template\n#\n# 4 = login success + login failure/ban/block + login attempts\n# 3 = login success + login failure/ban/block\n# 2 = login failure/ban/block\n# 1 = login ban/block\n# 0 = disabled\nUI_ALERT = \"4\"\n\n# This is the SSL cipher list that the Integrated UI will negotiate from\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\n\n# This is the SSL protocol version used. See IO::Socket::SSL if you wish to\n# change this and to understand the implications of changing it\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\n\n# If cxs is installed then enabling this option will provide a dropdown box to\n# switch between applications\nUI_CXS = \"0\"\n\n# There is a modified installation of ConfigServer Explorer (cse) provided with\n# the csf distribution. If this option is enabled it will provide a dropdown\n# box to switch between applications\nUI_CSE = \"0\"\n\n###############################################################################\n# SECTION:Messenger service\n###############################################################################\n# Messenger service. This feature allows the display of a message to a blocked\n# connecting IP address to inform the user that they are blocked in the\n# firewall. This can help when users get themselves blocked, e.g. due to\n# multiple login failures. The service is provided by two daemons running on\n# ports providing either an HTML or TEXT message\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# IPv6 will need the IO::Socket::INET6 perl module\n#\n# For further information on features and limitations refer to the csf\n# readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# 1 to enable, 0 to disable\nMESSENGER = \"0\"\n\n# Provide this service to temporary IP address blocks\nMESSENGER_TEMP = \"1\"\n\n# Provide this service to permanent IP address blocks\nMESSENGER_PERM = \"1\"\n\n# User account to run the service servers under. We recommend creating a\n# specific non-priv, non-shell account for this purpose\n#\n# Note: When using MESSENGERV2, this account must NOT be a valid control panel\n# account, it must be created manually as explained in the csf readme.txt\nMESSENGER_USER = \"csf\"\n\n# This option points to the file(s) containing the Apache VirtualHost SSL\n# definitions. This can be a file glob if there are multiple files to search.\n# Only Apache v2 SSL VirtualHost definitions are supported\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\n\n# The following options can be specified to provide a default fallback\n# certificate to be used if either SNI is not supported or a hosted domain does\n# not have an SSL certificate. If a fallback is not provided, one of the certs\n# obtained from MESSENGER_HTTPS_CONF will be used\n#\n# This is used by MESSENGERV1 and MESSENGERV2 only\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\n\n# Set this to the port that will receive the HTTPS HTML message. You should\n# configure this port to be >1023 and different from the TEXT and HTML port. Do\n# NOT enable access to this port in TCP_IN. This option requires the perl\n# module IO::Socket::SSL at a version level that supports SNI (1.83+).\n# Additionally the version of openssl on the server must also support SNI\n#\n# The option uses existing SSL certificates on the server for each domain to\n# maintain a secure connection without browser warnings. It uses SNI to choose\n# the correct certificate to use for each client connection\n#\n# Warning: On some servers the amount of memory used by the HTTPS MESSENGER\n# service can become significant depending on various factors associated with\n# the use of IO::Socket::SSL including the number of domains and certificates\n# served. This is normally only an issue if using MESSENGERV1\nMESSENGER_HTTPS = \"8887\"\n\n# This comma separated list are the HTTPS HTML ports that will be redirected\n# for the blocked IP address. If you are using per application blocking\n# (LF_TRIGGER) then only the relevant block port will be redirected to the\n# messenger port\n#\n# Recommended setting \"443\" plus any end-user control panel SSL ports. So, for\n# cPanel: \"443,2083,2096\"\nMESSENGER_HTTPS_IN = \"443\"\n\n# Set this to the port that will receive the HTML message. You should configure\n# this port to be >1023 and different from the TEXT port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_HTML = \"8888\"\n\n# This comma separated list are the HTML ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_HTML_IN = \"80\"\n\n# Set this to the port that will receive the TEXT message. You should configure\n# this port to be >1023 and different from the HTML port. Do NOT enable access\n# to this port in TCP_IN\nMESSENGER_TEXT = \"8889\"\n\n# This comma separated list are the TEXT ports that will be redirected for the\n# blocked IP address. If you are using per application blocking (LF_TRIGGER)\n# then only the relevant block port will be redirected to the messenger port\nMESSENGER_TEXT_IN = \"21\"\n\n# These settings limit the rate at which connections can be made to the\n# messenger service servers. Its intention is to provide protection from\n# attacks or excessive connections to the servers. If the rate is exceeded then\n# iptables will revert for the duration to the normal blocking activity\n#\n# See the iptables man page for the correct --limit rate syntax\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\n\n# MESSENGERV1 only:\n#------------------------------------------------------------------------------\n# This is the maximum concurrent connections allowed to each service server\n#\n# Note: This number should be increased to cater for the number of local images\n# served by this page, including one for favicon.ico. This is because each\n# image displayed counts as an additional connection\nMESSENGER_CHILDREN = \"20\"\n\n# This options ignores ServerAlias definitions that begin with \"mail.\". This\n# can help reduce memory usage on systems that do not require the use of\n# MESSENGER_HTTPS on those subdomains\n#\n# Set to 0 to include these ServerAlias definitions\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\n\n# MESSENGERV2 only:\n#------------------------------------------------------------------------------\n# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+\n# under EA4.\n#\n# This uses the Apache http daemon to provide the web server functionality for\n# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources\n# that the lfd inbuilt service uses and overcomes the memory overhead of using\n# the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\n#MESSENGERV2 = \"0\"\n\n# MESSENGERV3 only:\n#------------------------------------------------------------------------------\n# MESSENGERV3. This option is available on any server running Apache v2.4+,\n# Litespeed or Openlitespeed\n#\n# This uses the web server http daemon to provide the web server functionality\n# for the MESSENGER HTML and HTTPS services. It uses a fraction of the\n# resources that the lfd inbuilt service uses and overcomes the memory overhead\n# of using the MESSENGER HTTPS service\n#\n# For more information consult readme.txt before enabling this option\nMESSENGERV3 = \"0\"\n\n# This is the file or directory where the additional web server configuration\n# file should be included\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\n\n# This is the command to restart the web server\nMESSENGERV3RESTART = \"service httpd restart\"\n\n# This is the command to test the validity of the web server configuration. If\n# using Litespeed, set to \"\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\n\n# This must be set to the main httpd.conf file for either Apache or Litespeed\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\n\n# This can be set to either:\n# \"apache\" - for servers running Apache v2.4+ or Litespeed using Apache\n# configuration\n# \"litespeed\" - for Litespeed or Openlitespeed\nMESSENGERV3WEBSERVER = \"apache\"\n\n# On creation, set the MESSENGER_USER public_html directory permissions to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3PERMS = \"711\"\n\n# On creation, set the MESSENGER_USER public_html directory group user to\n# Note: If you precreate this directory the following setting will be ignored\nMESSENGERV3GROUP = \"apache\"\n\n# This is the web server configuration to allow PHP scripts to run. If left\n# empty, the MESSENGER service will try to configure this. If this does not\n# work, this should be set as an \"Include /path/to/csf_php.conf\" or similar\n# file which must contain appropriate web server configuration to allow PHP\n# scripts to run. This line will be included within each MESSENGER VirtualHost\n# container. This will replace the [MESSENGERV3PHPHANDLER] line from the csf\n# webserver template files\nMESSENGERV3PHPHANDLER = \"\"\n\n# RECAPTCHA:\n#------------------------------------------------------------------------------\n# The RECAPTCHA options provide a way for end-users that have blocked\n# themselves in the firewall to unblock themselves.\n#\n# A valid Google ReCAPTCHA (v2) key set is required for this feature from:\n# https://www.google.com/recaptcha/intro/index.html\n#\n# When configuring a new reCAPTCHA API key set you must ensure that the option\n# for \"Domain Name Validation\" is unticked so that the same reCAPTCHA can be\n# used for all domains hosted on the server. lfd then checks that the hostname\n# of the request resolves to an IP on this server\n#\n# This feature requires the installation of the LWP::UserAgent perl module (see\n# option URLGET for more details)\n#\n# The template used for this feature is /etc/csf/messenger/index.recaptcha.html\n#\n# Note: An unblock will fail if the end-users IP is located in a netblock,\n# blocklist or CC_* deny entry\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\n\n# Send an email when an IP address successfully attempts to unblock themselves.\n# This does not necessarily mean the IP was unblocked, only that the\n# post-recaptcha unblock request was attempted\n#\n# Set to \"0\" to disable\nRECAPTCHA_ALERT = \"1\"\n\n# If the server uses NAT then resolving the hostname to hosted IPs will likely\n# not succeed. In that case, the external IP addresses must be listed as comma\n# separated list here\nRECAPTCHA_NAT = \"\"\n\n###############################################################################\n# SECTION:lfd Clustering\n###############################################################################\n# lfd Clustering. This allows the configuration of an lfd cluster environment\n# where a group of servers can share blocks and configuration option changes.\n# Included are CLI and UI options to send requests to the cluster.\n#\n# See the readme.txt file for more information and details on setup and\n# security risks.\n#\n# Set this to a comma separated list of cluster member IP addresses to send\n# requests to. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_sendto.txt\"\nCLUSTER_SENDTO = \"\"\n\n# Set this to a comma separated list of cluster member IP addresses to receive\n# requests from. Alternatively, it can be set to the full path of a file that\n# will read in one IP per line, e.g.:\n# \"/etc/csf/cluster_recvfrom.txt\"\nCLUSTER_RECVFROM = \"\"\n\n# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG\n# changes\nCLUSTER_MASTER = \"\"\n\n# If this is a NAT server, set this to the public IP address of this server\nCLUSTER_NAT = \"\"\n\n# If a cluster member should send requests on an IP other than the default IP,\n# set it here\nCLUSTER_LOCALADDR = \"\"\n\n# Cluster communication port (must be the same on all member servers). There\n# is no need to open this port in the firewall as csf will automatically add\n# in and out bound rules to allow communication between cluster members\nCLUSTER_PORT = \"7777\"\n\n# This is a secret key used to encrypt cluster communications using the\n# Blowfish algorithm. It should be between 8 and 56 characters long,\n# preferably > 20 random characters\n# 56 chars: 01234567890123456789012345678901234567890123456789012345\nCLUSTER_KEY = \"\"\n\n# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those\n# servers must have this servers IP address listed in their CLUSTER_RECVFROM\n#\n# Set to 0 to disable this feature\nCLUSTER_BLOCK = \"1\"\n\n# This option allows the enabling and disabling of the Cluster configuration\n# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the\n# CLUSTER_MASTER server\n#\n# Set this option to 1 to allow Cluster configurations to be received\nCLUSTER_CONFIG = \"0\"\n\n# Maximum number of child processes to listen on. High blocking rates or large\n# clusters may need to increase this\nCLUSTER_CHILDREN = \"10\"\n\n###############################################################################\n# SECTION:Port Knocking\n###############################################################################\n# Port Knocking. This feature allows port knocking to be enabled on multiple\n# ports with a variable number of knocked ports and a timeout. There must be a\n# minimum of 3 ports to knock for an entry to be valid\n#\n# See the following for information regarding Port Knocking:\n# http://www.portknocking.org/\n#\n# This feature does not work on servers that do not have the iptables module\n# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS\n# server admins should check with their VPS host provider that the iptables\n# module is included\n#\n# For further information and syntax refer to the Port Knocking section of the\n# csf readme.txt\n#\n# Note: Run /etc/csf/csftest.pl to check whether this option will function on\n# this server\n#\n# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...\n# e.g.: 22;TCP;20;100;200;300;400\nPORTKNOCKING = \"\"\n\n# Enable PORTKNOCKING logging by iptables\nPORTKNOCKING_LOG = \"1\"\n\n# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must\n# also be enabled to use this option\n#\n# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read\n# this file about RESTRICT_SYSLOG before enabling this option:\nPORTKNOCKING_ALERT = \"0\"\n\n###############################################################################\n# SECTION:Log Scanner\n###############################################################################\n# Log Scanner. This feature will send out an email summary of the log lines of\n# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless\n# they match a regular expression in /etc/csf/csf.logignore\n#\n# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,\n# be aware that the more files lfd has to track, the greater the performance\n# hit. Note: File globs are only evaluated when lfd is started\n#\n# Note: lfd builds the report continuously from lines logged after lfd has\n# started, so any lines logged when lfd is not running will not be reported\n# (e.g. during reboot). If lfd is restarted, then the report will include any\n# lines logged during the previous lfd logging period that weren't reported\n#\n# 1 to enable, 0 to disable\nLOGSCANNER = \"0\"\n\n# This is the interval each report will be sent based on the logalert.txt\n# template\n#\n# The interval can be set to:\n# \"hourly\" - sent on the hour\n# \"daily\" - sent at midnight (00:00)\n# \"manual\" - sent whenever \"csf --logrun\" is run. This allows for scheduling\n# via cron job\nLOGSCANNER_INTERVAL = \"hourly\"\n\n# Report Style\n# 1 = Separate chronological log lines per log file\n# 2 = Simply chronological log of all lines\nLOGSCANNER_STYLE = \"1\"\n\n# Send the report email even if no log lines reported\n# 1 to enable, 0 to disable\nLOGSCANNER_EMPTY = \"1\"\n\n# Maximum number of lines in the report before it is truncated. This is to\n# prevent log lines flooding resulting in an excessively large report. This\n# might need to be increased if you choose a daily report\nLOGSCANNER_LINES = \"5000\"\n\n###############################################################################\n# SECTION:Statistics Settings\n###############################################################################\n# Statistics\n#\n# Some of the Statistics output requires the gd graphics library and the\n# GD::Graph perl module with all dependent modules to be installed for the UI\n# for them to be displayed\n#\n# This option enabled statistical data gathering\nST_ENABLE = \"1\"\n\n# This option determines how many iptables log lines to store for reports\nST_IPTABLES = \"100\"\n\n# This option indicates whether rDNS and CC lookups are performed at the time\n# the log line is recorded (this is not performed when viewing the reports)\n#\n# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,\n# then enabling this setting could cause serious performance problems\nST_LOOKUP = \"0\"\n\n# This option will gather basic system statstics. Through the UI it displays\n# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:\n# . Hourly (per minute)\n# . 24 hours (per minute)\n# . 7 days (per minute averaged over an hour)\n# . 30 days (per minute averaged over an hour) - user definable\n# The data is stored in /var/lib/csf/stats/system and the option requires the\n# perl GD::Graph module\n#\n# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on\n# those systems do not store the required information in /proc/diskstats\n# On new installations or when enabling this option it will take time for these\n# graphs to be populated\nST_SYSTEM = \"0\"\n\n# Set the maximum days to collect statistics for. The default is 30 days, the\n# more data that is collected the longer it will take for each of the graphs to\n# be generated\nST_SYSTEM_MAXDAYS = \"30\"\n\n# If ST_SYSTEM is enabled, then these options can collect MySQL statistical\n# data. To use this option the server must have the perl modules DBI and\n# DBD::mysql installed.\n#\n# Set this option to \"0\" to disable MySQL data collection\nST_MYSQL = \"0\"\n\n# The following options are for authentication for MySQL data collection. If\n# the password is left blank and the user set to \"root\" then the procedure will\n# look for authentication data in /root/.my.cnf. Otherwise, you will need to\n# provide a MySQL username and password to collect the data. Any MySQL user\n# account can be used\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\n\n# If ST_SYSTEM is enabled, then this option can collect Apache statistical data\n# The value for PT_APACHESTATUS must be correctly set\nST_APACHE = \"0\"\n\n# The following options measure disk write performance using dd (location set\n# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and\n# the statistics will plot the MB/s response time of the disk. As this is an IO\n# intensive operation, it may not be prudent to run this test too often, so by\n# default it is only run every 5 minutes and the result duplicated for each\n# intervening minute for the statistics\n#\n# This is not necessrily a good measure of disk performance, primarily because\n# the measurements are for relatively small amounts of data over a small amount\n# of time. To properly test disk performance there are a variety of tools\n# available that should be run for extended periods of time to obtain an\n# accurate measurement. This metric is provided to give an idea of how the disk\n# is performing over time\n#\n# Note: There is a 15 second timeout performing the check\n#\n# Set to 0 to disable, 1 to enable\nST_DISKW = \"0\"\n\n# The number of minutes that elapse between tests. Default is 5, minimum is 1.\nST_DISKW_FREQ = \"5\"\n\n# This is the command line passed to dd. If you are familiar with dd, or wish\n# to move the output file (of) to a different disk, then you can alter this\n# command. Take great care when making any changes to this command as it is\n# very easy to overwrite a disk using dd if you make a mistake\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\n\n###############################################################################\n# SECTION:Docker Settings\n###############################################################################\n# This section provides the configuration of iptables rules to allow Docker\n# containers to communicate through the host. If the generated rules do not\n# work with your setup you will have to use a /etc/csf/csfpost.sh file and add\n# your own iptables configuration instead\n#\n# 1 to enable, 0 to disable\nDOCKER = \"0\"\n\n# The network device on the host\nDOCKER_DEVICE = \"docker0\"\n\n# Docker container IPv4 range\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\n\n# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table\n# available (see IPv6 section). Leave blank to disable\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\n\n###############################################################################\n# SECTION:OS Specific Settings\n###############################################################################\n# Binary locations\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\n\n# Log file locations\n#\n# File globbing is allowed for the following logs. However, be aware that the\n# more files lfd has to track, the greater the performance hit\n#\n# Note: File globs are only evaluated when lfd is started\n#\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\n\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\n\n# The following are comma separated lists used if LF_SELECT is enabled,\n# otherwise they are not used. They are derived from the application returned\n# from a regex match in /usr/local/csf/bin/regex.pm\n#\n# All ports default to tcp blocks. To specify udp or tcp use the format:\n# port;protocol,port;protocol,... For example, \"53;udp,53;tcp\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\n# This list is replaced, if present, by \"Port\" definitions in\n# /etc/ssh/sshd_config\nPORTS_sshd = \"22\"\n\n# This configuration is for use with generic Linux servers, do not change the\n# following setting:\nGENERIC = \"1\"\n\n# For internal use only. You should not enable this option as it could cause\n# instability in csf and lfd\nDEBUG = \"0\"\n###############################################################################\nTESTING = \"0\"\nTESTING_INTERVAL = \"5\"\nRESTRICT_SYSLOG = \"0\"\nRESTRICT_SYSLOG_GROUP = \"mysyslog\"\nRESTRICT_UI = \"1\"\nAUTO_UPDATES = \"1\"\nLF_SPI = \"1\"\nTCP_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP_IN = \"20,21,53,853,80,443\"\nUDP_OUT = \"20,21,53,853,113,123\"\nICMP_IN = \"1\"\nICMP_IN_RATE = \"1/s\"\nICMP_OUT = \"1\"\nICMP_OUT_RATE = \"0\"\nICMP_TIMESTAMPDROP = \"0\"\nIPV6 = \"1\"\nIPV6_ICMP_STRICT = \"0\"\nIPV6_SPI = \"1\"\nTCP6_IN = \"20,21,22,25,53,853,80,110,143,443,465,587,993,995,5000\"\nTCP6_OUT = \"20,21,22,25,53,853,80,110,113,443,587,993,995\"\nUDP6_IN = \"20,21,53,853,80,443\"\nUDP6_OUT = \"20,21,53,853,113,123\"\nETH_DEVICE = \"\"\nETH6_DEVICE = \"\"\nETH_DEVICE_SKIP = \"\"\nUSE_CONNTRACK = \"1\"\nUSE_FTPHELPER = \"0\"\nSYSLOG_CHECK = \"0\"\nIGNORE_ALLOW = \"0\"\nDNS_STRICT = \"0\"\nDNS_STRICT_NS = \"0\"\nDENY_IP_LIMIT = \"200\"\nDENY_TEMP_IP_LIMIT = \"100\"\nLF_DAEMON = \"1\"\nLF_CSF = \"1\"\nFASTSTART = \"1\"\nLF_IPSET = \"0\"\nWAITLOCK = \"1\"\nWAITLOCK_TIMEOUT = \"300\"\nLF_IPSET_HASHSIZE = \"1024\"\nLF_IPSET_MAXELEM = \"65536\"\nLFDSTART = \"0\"\nVERBOSE = \"1\"\nPACKET_FILTER = \"1\"\nLF_LOOKUPS = \"1\"\nSTYLE_CUSTOM = \"0\"\nSTYLE_MOBILE = \"1\"\nSMTP_BLOCK = \"0\"\nSMTP_ALLOWLOCAL = \"1\"\nSMTP_REDIRECT = \"0\"\nSMTP_PORTS = \"25,465,587\"\nSMTP_ALLOWUSER = \"\"\nSMTP_ALLOWGROUP = \"mail,mailman\"\nSMTPAUTH_RESTRICT = \"0\"\nSYNFLOOD = \"0\"\nSYNFLOOD_RATE = \"100/s\"\nSYNFLOOD_BURST = \"150\"\nCONNLIMIT = \"\"\nPORTFLOOD = \"\"\nUDPFLOOD = \"0\"\nUDPFLOOD_LIMIT = \"100/s\"\nUDPFLOOD_BURST = \"500\"\nUDPFLOOD_ALLOWUSER = \"named\"\nSYSLOG = \"0\"\nDROP = \"DROP\"\nDROP_OUT = \"REJECT\"\nDROP_LOGGING = \"1\"\nDROP_IP_LOGGING = \"0\"\nDROP_OUT_LOGGING = \"1\"\nDROP_UID_LOGGING = \"1\"\nDROP_ONLYRES = \"0\"\nDROP_NOLOG = \"23,67,68,111,113,135:139,445,500,513,520\"\nDROP_PF_LOGGING = \"0\"\nCONNLIMIT_LOGGING = \"0\"\nUDPFLOOD_LOGGING = \"1\"\nLOGFLOOD_ALERT = \"0\"\nLF_ALERT_TO = \"\"\nLF_ALERT_FROM = \"\"\nLF_ALERT_SMTP = \"\"\nBLOCK_REPORT = \"\"\nUNBLOCK_REPORT = \"\"\nX_ARF = \"0\"\nX_ARF_FROM = \"\"\nX_ARF_TO = \"\"\nX_ARF_ABUSE = \"0\"\nLF_PERMBLOCK = \"1\"\nLF_PERMBLOCK_INTERVAL = \"86400\"\nLF_PERMBLOCK_COUNT = \"4\"\nLF_PERMBLOCK_ALERT = \"1\"\nLF_NETBLOCK = \"0\"\nLF_NETBLOCK_INTERVAL = \"86400\"\nLF_NETBLOCK_COUNT = \"4\"\nLF_NETBLOCK_CLASS = \"C\"\nLF_NETBLOCK_ALERT = \"1\"\nLF_NETBLOCK_IPV6 = \"\"\nSAFECHAINUPDATE = \"0\"\nDYNDNS = \"0\"\nDYNDNS_IGNORE = \"0\"\nLF_GLOBAL = \"0\"\nGLOBAL_ALLOW = \"\"\nGLOBAL_DENY = \"\"\nGLOBAL_IGNORE = \"\"\nGLOBAL_DYNDNS = \"\"\nGLOBAL_DYNDNS_INTERVAL = \"600\"\nGLOBAL_DYNDNS_IGNORE = \"0\"\nLF_BOGON_SKIP = \"\"\nURLGET = \"2\"\nURLPROXY = \"\"\nMM_LICENSE_KEY = \"\"\nCC_SRC = \"2\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCC_ALLOW_FILTER = \"\"\nCC_ALLOW_PORTS = \"\"\nCC_ALLOW_PORTS_TCP = \"\"\nCC_ALLOW_PORTS_UDP = \"\"\nCC_DENY_PORTS = \"\"\nCC_DENY_PORTS_TCP = \"\"\nCC_DENY_PORTS_UDP = \"\"\nCC_IGNORE = \"\"\nCC_ALLOW_SMTPAUTH = \"\"\nCC_MESSENGER_ALLOW = \"\"\nCC_MESSENGER_DENY = \"\"\nCC_DROP_CIDR = \"\"\nCC_LOOKUPS = \"1\"\nCC6_LOOKUPS = \"0\"\nCC_INTERVAL = \"14\"\nLF_TRIGGER = \"0\"\nLF_TRIGGER_PERM = \"1\"\nLF_SELECT = \"0\"\nLF_EMAIL_ALERT = \"1\"\nLF_TEMP_EMAIL_ALERT = \"1\"\nLF_SSHD = \"5\"\nLF_SSHD_PERM = \"1\"\nLF_FTPD = \"10\"\nLF_FTPD_PERM = \"1\"\nLF_SMTPAUTH = \"5\"\nLF_SMTPAUTH_PERM = \"1\"\nLF_EXIMSYNTAX = \"10\"\nLF_EXIMSYNTAX_PERM = \"1\"\nLF_POP3D = \"0\"\nLF_POP3D_PERM = \"1\"\nLF_IMAPD = \"0\"\nLF_IMAPD_PERM = \"1\"\nLF_HTACCESS = \"5\"\nLF_HTACCESS_PERM = \"1\"\nLF_MODSEC = \"5\"\nLF_MODSEC_PERM = \"1\"\nLF_BIND = \"0\"\nLF_BIND_PERM = \"1\"\nLF_SUHOSIN = \"0\"\nLF_SUHOSIN_PERM = \"1\"\nLF_CXS = \"0\"\nLF_CXS_PERM = \"1\"\nLF_QOS = \"0\"\nLF_QOS_PERM = \"1\"\nLF_SYMLINK = \"0\"\nLF_SYMLINK_PERM = \"1\"\nLF_WEBMIN = \"0\"\nLF_WEBMIN_PERM = \"1\"\nLF_SSH_EMAIL_ALERT = \"1\"\nLF_SU_EMAIL_ALERT = \"1\"\nLF_SUDO_EMAIL_ALERT = \"0\"\nLF_WEBMIN_EMAIL_ALERT = \"1\"\nLF_CONSOLE_EMAIL_ALERT = \"1\"\nLF_APACHE_404 = \"0\"\nLF_APACHE_404_PERM = \"3600\"\nLF_APACHE_403 = \"0\"\nLF_APACHE_403_PERM = \"3600\"\nLF_APACHE_401 = \"0\"\nLF_APACHE_ERRPORT = \"0\"\nLF_APACHE_401_PERM = \"3600\"\nLF_MODSECIPDB_ALERT = \"0\"\nLF_MODSECIPDB_FILE = \"/var/run/modsecurity/data/ip.pag\"\nLF_EXPLOIT = \"300\"\nLF_EXPLOIT_IGNORE = \"\"\nLF_INTERVAL = \"3600\"\nLF_PARSE = \"5\"\nLF_FLUSH = \"3600\"\nLF_REPEATBLOCK = \"0\"\nLF_BLOCKINONLY = \"0\"\nCF_ENABLE = \"0\"\nCF_BLOCK = \"block\"\nCF_TEMP = \"3600\"\nLF_DIRWATCH = \"300\"\nLF_DIRWATCH_DISABLE = \"0\"\nLF_DIRWATCH_FILE = \"0\"\nLF_INTEGRITY = \"3600\"\nLF_DISTATTACK = \"0\"\nLF_DISTATTACK_UNIQ = \"2\"\nLF_DISTFTP = \"0\"\nLF_DISTFTP_UNIQ = \"3\"\nLF_DISTFTP_PERM = \"1\"\nLF_DISTFTP_ALERT = \"1\"\nLF_DISTSMTP = \"0\"\nLF_DISTSMTP_UNIQ = \"3\"\nLF_DISTSMTP_PERM = \"1\"\nLF_DISTSMTP_ALERT = \"1\"\nLF_DIST_INTERVAL = \"300\"\nLF_DIST_ACTION = \"\"\nLT_POP3D = \"0\"\nLT_IMAPD = \"0\"\nLT_EMAIL_ALERT = \"1\"\nLT_SKIPPERMBLOCK = \"0\"\nCT_LIMIT = \"0\"\nCT_INTERVAL = \"30\"\nCT_EMAIL_ALERT = \"1\"\nCT_PERMANENT = \"0\"\nCT_BLOCK_TIME = \"1800\"\nCT_SKIP_TIME_WAIT = \"0\"\nCT_STATES = \"\"\nCT_PORTS = \"\"\nCT_SUBNET_LIMIT = \"0\"\nPT_LIMIT = \"60\"\nPT_INTERVAL = \"60\"\nPT_SKIP_HTTP = \"0\"\nPT_DELETED = \"0\"\nPT_DELETED_ACTION = \"\"\nPT_USERPROC = \"10\"\nPT_USERMEM = \"512\"\nPT_USERRSS = \"256\"\nPT_USERTIME = \"1800\"\nPT_USERKILL = \"0\"\nPT_USERKILL_ALERT = \"1\"\nPT_USER_ACTION = \"\"\nPT_LOAD = \"30\"\nPT_LOAD_AVG = \"5\"\nPT_LOAD_LEVEL = \"6\"\nPT_LOAD_SKIP = \"3600\"\nPT_APACHESTATUS = \"http://127.0.0.1/server-status\"\nPT_LOAD_ACTION = \"\"\nPT_FORKBOMB = \"0\"\nPT_SSHDKILL = \"0\"\nPT_SSHDHUNG = \"0\"\nPS_INTERVAL = \"0\"\nPS_LIMIT = \"10\"\nPS_PORTS = \"0:65535,ICMP\"\nPS_DIVERSITY = \"1\"\nPS_PERMANENT = \"0\"\nPS_BLOCK_TIME = \"3600\"\nPS_EMAIL_ALERT = \"1\"\nUID_INTERVAL = \"0\"\nUID_LIMIT = \"10\"\nUID_PORTS = \"0:65535,ICMP\"\nAT_ALERT = \"2\"\nAT_INTERVAL = \"60\"\nAT_NEW = \"1\"\nAT_OLD = \"1\"\nAT_PASSWD = \"1\"\nAT_UID = \"1\"\nAT_GID = \"1\"\nAT_DIR = \"1\"\nAT_SHELL = \"1\"\nUI = \"1\"\nUI_PORT = \"8546\"\nUI_IP = \"\"\nUI_USER = \"admin\"\nUI_PASS = \"password\"\nUI_TIMEOUT = \"300\"\nUI_CHILDREN = \"5\"\nUI_RETRY = \"5\"\nUI_BAN = \"1\"\nUI_ALLOW = \"1\"\nUI_BLOCK = \"1\"\nUI_ALERT = \"4\"\nUI_CIPHER = \"ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH\"\nUI_SSL_VERSION = \"SSLv23:!SSLv3:!SSLv2\"\nUI_CXS = \"0\"\nUI_CSE = \"0\"\nMESSENGER = \"0\"\nMESSENGER_TEMP = \"1\"\nMESSENGER_PERM = \"1\"\nMESSENGER_USER = \"csf\"\nMESSENGER_HTTPS_CONF = \"/etc/httpd/conf.d/ssl.conf\"\nMESSENGER_HTTPS_KEY = \"/etc/pki/tls/private/localhost.key\"\nMESSENGER_HTTPS_CRT = \"/etc/pki/tls/certs/localhost.crt\"\nMESSENGER_HTTPS = \"8887\"\nMESSENGER_HTTPS_IN = \"443\"\nMESSENGER_HTML = \"8888\"\nMESSENGER_HTML_IN = \"80\"\nMESSENGER_TEXT = \"8889\"\nMESSENGER_TEXT_IN = \"21\"\nMESSENGER_RATE = \"100/s\"\nMESSENGER_BURST = \"150\"\nMESSENGER_CHILDREN = \"20\"\nMESSENGER_HTTPS_SKIPMAIL = \"1\"\nMESSENGERV3 = \"0\"\nMESSENGERV3LOCATION = \"/etc/httpd/conf.d/\"\nMESSENGERV3RESTART = \"service httpd restart\"\nMESSENGERV3TEST = \"/usr/sbin/apachectl -t\"\nMESSENGERV3HTTPS_CONF = \"/etc/httpd/conf/httpd.conf\"\nMESSENGERV3WEBSERVER = \"apache\"\nMESSENGERV3PERMS = \"711\"\nMESSENGERV3GROUP = \"apache\"\nMESSENGERV3PHPHANDLER = \"\"\nRECAPTCHA_SITEKEY = \"\"\nRECAPTCHA_SECRET = \"\"\nRECAPTCHA_ALERT = \"1\"\nRECAPTCHA_NAT = \"\"\nCLUSTER_SENDTO = \"\"\nCLUSTER_RECVFROM = \"\"\nCLUSTER_MASTER = \"\"\nCLUSTER_NAT = \"\"\nCLUSTER_LOCALADDR = \"\"\nCLUSTER_PORT = \"7777\"\nCLUSTER_KEY = \"\"\nCLUSTER_BLOCK = \"1\"\nCLUSTER_CONFIG = \"0\"\nCLUSTER_CHILDREN = \"10\"\nPORTKNOCKING = \"\"\nPORTKNOCKING_LOG = \"1\"\nPORTKNOCKING_ALERT = \"0\"\nLOGSCANNER = \"0\"\nLOGSCANNER_INTERVAL = \"hourly\"\nLOGSCANNER_STYLE = \"1\"\nLOGSCANNER_EMPTY = \"1\"\nLOGSCANNER_LINES = \"5000\"\nST_ENABLE = \"1\"\nST_IPTABLES = \"100\"\nST_LOOKUP = \"0\"\nST_SYSTEM = \"0\"\nST_SYSTEM_MAXDAYS = \"30\"\nST_MYSQL = \"0\"\nST_MYSQL_USER = \"root\"\nST_MYSQL_PASS = \"\"\nST_MYSQL_HOST = \"localhost\"\nST_APACHE = \"0\"\nST_DISKW = \"0\"\nST_DISKW_FREQ = \"5\"\nST_DISKW_DD = \"if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync\"\nDOCKER = \"0\"\nDOCKER_DEVICE = \"docker0\"\nDOCKER_NETWORK4 = \"172.17.0.0/16\"\nDOCKER_NETWORK6 = \"2001:db8:1::/64\"\nIPTABLES = \"/sbin/iptables\"\nIPTABLES_SAVE = \"/sbin/iptables-save\"\nIPTABLES_RESTORE = \"/sbin/iptables-restore\"\nIP6TABLES = \"/sbin/ip6tables\"\nIP6TABLES_SAVE = \"/sbin/ip6tables-save\"\nIP6TABLES_RESTORE = \"/sbin/ip6tables-restore\"\nMODPROBE = \"/sbin/modprobe\"\nIFCONFIG = \"/sbin/ifconfig\"\nSENDMAIL = \"/usr/sbin/sendmail\"\nPS = \"/bin/ps\"\nVMSTAT = \"/usr/bin/vmstat\"\nNETSTAT = \"/bin/netstat\"\nLS = \"/bin/ls\"\nMD5SUM = \"/usr/bin/md5sum\"\nTAR = \"/bin/tar\"\nCHATTR = \"/usr/bin/chattr\"\nUNZIP = \"/usr/bin/unzip\"\nGUNZIP = \"/bin/gunzip\"\nDD = \"/bin/dd\"\nTAIL = \"/usr/bin/tail\"\nGREP = \"/bin/grep\"\nZGREP = \"/bin/zgrep\"\nIPSET = \"/sbin/ipset\"\nSYSTEMCTL = \"/bin/systemctl\"\nHOST = \"/usr/bin/host\"\nIP = \"/bin/ip\"\nCURL = \"/usr/bin/curl\"\nWGET = \"/usr/bin/wget\"\nHTACCESS_LOG = \"/var/log/apache2/error.log\"\nMODSEC_LOG = \"/var/log/apache2/error.log\"\nSSHD_LOG = \"/var/log/auth.log\"\nSU_LOG = \"/var/log/messages\"\nSUDO_LOG = \"/var/log/secure\"\nFTPD_LOG = \"/var/log/messages\"\nSMTPAUTH_LOG = \"/var/log/secure\"\nPOP3D_LOG = \"/var/log/mail.log\"\nIMAPD_LOG = \"/var/log/mail.log\"\nIPTABLES_LOG = \"/var/log/messages\"\nSUHOSIN_LOG = \"/var/log/messages\"\nBIND_LOG = \"/var/log/messages\"\nSYSLOG_LOG = \"/var/log/messages\"\nWEBMIN_LOG = \"/var/log/auth.log\"\nCUSTOM1_LOG = \"/var/log/customlog\"\nCUSTOM2_LOG = \"/var/log/customlog\"\nCUSTOM3_LOG = \"/var/log/customlog\"\nCUSTOM4_LOG = \"/var/log/customlog\"\nCUSTOM5_LOG = \"/var/log/customlog\"\nCUSTOM6_LOG = \"/var/log/customlog\"\nCUSTOM7_LOG = \"/var/log/customlog\"\nCUSTOM8_LOG = \"/var/log/customlog\"\nCUSTOM9_LOG = \"/var/log/customlog\"\nPORTS_pop3d = \"110,995\"\nPORTS_imapd = \"143,993\"\nPORTS_htpasswd = \"80,443\"\nPORTS_mod_security = \"80,443\"\nPORTS_mod_qos = \"80,443\"\nPORTS_symlink = \"80,443\"\nPORTS_suhosin = \"80,443\"\nPORTS_cxs = \"80,443\"\nPORTS_bind = \"53;udp,53;tcp\"\nPORTS_ftpd = \"20,21\"\nPORTS_webmin = \"10000\"\nPORTS_smtpauth = \"25,465,587\"\nPORTS_eximsyntax = \"25,465,587\"\nPORTS_sshd = \"22\"\nGENERIC = \"1\"\nDEBUG = \"0\"\nsudo csf -cp./usr/sbin/csf in a text editor.use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC as shown below: use ConfigServer::Sendmail;\nuse ConfigServer::LookUpIP qw(iplookup);\nuse Crypt::CBC\nipset. Install it with the following commands:sudo apt update\nsudo apt-get install ipset\nsudo yum check-update\nsudo yum install ipset\n/etc/csf/csf.conf. You can use your preferred text editor to modify the file, such as nano or vim:sudo nano /etc/csf/csf.conf\ninstall.sh; TESTING MODE will automatically be disabled after the script has successfully completed.TESTING: Set this value to 0 to disable testing mode and activate the firewall.TCP_IN and TCP_OUT: These settings define the allowed incoming and outgoing TCP ports, respectively. Add or remove ports as required, separated by commas.UDP_IN and UDP_OUT: These settings define the allowed incoming and outgoing UDP ports, respectively. Add or remove ports as required, separated by commas.DENY_IP_LIMIT: This setting defines the maximum number of IP addresses that can be listed in the /etc/csf/csf.deny file. Adjust this limit as needed.CT_LIMIT: This setting controls the number of connections from a single IP address that are allowed before the IP is temporarily blocked. Adjust this value according to your server\u2019s requirements.-e, --enablesudo csf -e\n-s, --startsudo csf -s\n-r, --restartsudo csf -r\nTESTING MODE disabled. After CSF is installed using the patcher; then the Docker and OpenVPN patches will automatically be installed next.git clone https://github.com/Aetherinox/csf-firewall.git\ninstall.sh file: sudo chmod +x /csf-firewall/patch/install.sh\nsudo ./csf-firewall/patch/install.sh\n Installing package iptables\n Installing package ipset\n Installing package ConfigServer Firewall\n\n Patch installer will now start ...\nFor CentOS/RHEL:
sudo yum install perl ipset\nFor Debian/Ubuntu:
sudo apt-get update \nsudo apt-get install perl ipset\nwget https://download.configserver.com/csf.tgz\ntar -xzf csf.tgz\ncd csf\nsudo sh install.sh\nsudo perl /usr/local/csf/bin/csftest.pl\n\u201cRESULT: csf should function on this server.\u201d\ncd /etc/csf\nsudo sh uninstall.sh\nsudo apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl \\\n libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl\nsudo yum install perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN \\\n perl-IO-Socket-INET6 perl-Socket6\nsudo vim /etc/csf/csf.conf\n# 1 to enable, 0 to disable web ui \nUI = \"1\"\n\n# Set port for web UI. The default port is 6666, but\n# I change this to 1025 to easy access. Default port create some issue\n# with popular chrome and firefox browser (in my case) \n\nUI_PORT = \"1025\"\n\n# Leave blank to bind to all IP addresses on the server \nUI_IP = \"\"\n\n# Set username for authetnication \nUI_USER = \"admin\"\n\n# Set a strong password for authetnication \nUI_PASS = \"admin\"\nUI_PORTUI_USERUI_PASS/etc/csf/ui/ui.allow configuration file and add your public IP to allow access to CSF UI. Change YOUR_PUBLIC_IP_ADDRESS with your public IP address.sudo echo \"YOUR_PUBLIC_IP_ADDRESS\" >> /etc/csf/ui/ui.allow\nsudo service lfd restart\nsudo service lfd status\nlfd service running:\u25cf lfd.service - ConfigServer Firewall & Security - lfd\n Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)\n Active: active (running) since Mon 2024-08-05 11:59:38 MST; 1s ago\n Process: 46393 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)\n Main PID: 46407 (lfd - sleeping)\n Tasks: 8 (limit: 4613)\n Memory: 121.7M\n CPU: 2.180s\n CGroup: /system.slice/lfd.service\ncsf service is also running:sudo service csf status\ncsf. You should see no errors:\u25cf csf.service - ConfigServer Firewall & Security - csf\n Loaded: loaded (/lib/systemd/system/csf.service; enabled; preset: enabled)\n Active: active (exited) since Mon 2024-08-05 12:04:09 MST; 1s ago\n Process: 46916 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)\n Main PID: 46916 (code=exited, status=0/SUCCESS)\n CPU: 12.692s\ncsf status:csf[46313]: open3: exec of /sbin/ipset flush failed: No such file or directory at /usr/sbin/csf line 5650.\nipset:sudo apt-get update \nsudo apt-get install ipset\nhttps://127.0.0.1:1025\n/etc/csf/csf.allow file./etc/csf/csf.deny file.Proxy Provider.CSF ForwardAuthdefault-source-authentication (Welcome to authentik!)default-provider-authorization-implicit-consent (Authorize Application)https://csf.domain.comCSF (ConfigServer Firewall)csfAdministrativeCSF ForwardAuthNoneanyCSF (ConfigServer Firewall) to the right side Selected Applications box.csf.domain.com and be prompted now to authenticate with Authentik.MM_LICENSE_KEY within the csf.conf.csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.# 2. DB-IP, ipdeny.com, iptoasn.com\n#\n# Advantages: The ipdeny.com databases form CC blocking are better optimised\n# and so are quicker to process and create fewer iptables entries. All of these\n# databases are free to download without requiring login or key\n#\n# Disadvantages: Multiple sources mean that any one of the three could\n# interrupt the provision of these features. It may also mean that there are\n# inconsistences between them\n#\n# https://db-ip.com/db/lite.php\n# http://ipdeny.com/\n# https://iptoasn.com/\n# http://download.geonames.org/export/dump/readme.txt\n\n# Set the following to your preferred source:\n#\n# \"1\" - MaxMind\n# \"2\" - db-ip, ipdeny, iptoasn\n#\n# The default is \"2\" on new installations of csf, or set to \"1\" to use the\n# MaxMind databases after obtaining a license key\nCC_SRC = \"2\"\ncsf.conf and add the License key to your config. If you are using the CSF WebUI:sudo add-apt-repository ppa:maxmind/ppa\nsudo apt update\nsudo apt install geoipupdate\n/etc/:sudo touch /etc/GeoIP.conf\n/etc/GeoIP.conf. After you paste the code below; you must change the following values:AccountIDLicenseKey# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for\n# instructions on setting up geoipupdate, including information on how to\n# download a pre-filled GeoIP.conf file.\n\n# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account\n# ID and license key combination associated with your MaxMind account. These\n# are available from https://www.maxmind.com/en/my_license_key.\nAccountID 1000101\nLicenseKey ABC1234_56af7s8dshF53Ha_abck\n\n# Enter the edition IDs of the databases you would like to update.\n# Multiple edition IDs are separated by spaces.\nEditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country\n\n# The remaining settings are OPTIONAL.\n\n# The directory to store the database files. Defaults to /usr/share/GeoIP\n# DatabaseDirectory /usr/share/GeoIP\n\n# The server to use. Defaults to \"updates.maxmind.com\".\n# Host updates.maxmind.com\n\n# The proxy host name or IP address. You may optionally specify a\n# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080\n# will be used.\n# Proxy 127.0.0.1:8888\n\n# The user name and password to use with your proxy server.\n# ProxyUserPassword username:password\n\n# Whether to preserve modification times of files downloaded from the server.\n# Defaults to \"0\".\n# PreserveFileTimes 0\n\n# The lock file to use. This ensures only one geoipupdate process can run at a\n# time.\n# Note: Once created, this lockfile is not removed from the filesystem.\n# Defaults to \".geoipupdate.lock\" under the DatabaseDirectory.\n# LockFile /usr/share/GeoIP/.geoipupdate.lock\n\n# The amount of time to retry for when errors during HTTP transactions are\n# encountered. It can be specified as a (possibly fractional) decimal number\n# followed by a unit suffix. Valid time units are \"ns\", \"us\" (or \"\u00b5s\"), \"ms\",\n# \"s\", \"m\", \"h\".\n# Defaults to \"5m\" (5 minutes).\n# RetryFor 5m\n\n# The number of parallel database downloads.\n# Defaults to \"1\".\n# Parallelism 1\ngeoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.sudo geoipupdate\nsudo geoipupdate --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\nsudo geoipupdate -v --database-directory /var/lib/csf/Geo/ --config-file /etc/GeoIP.conf\ncsf.conf file in a text editor and locate the following settings:CC_DENYCC_ALLOW# In the following options, specify the the two-letter ISO Country Code(s).\n# The iptables rules are for incoming connections only\n#\n# Additionally, ASN numbers can also be added to the comma separated lists\n# below that also list Country Codes. The same WARNINGS for Country Codes apply\n# to the use of ASNs. More about Autonomous System Numbers (ASN):\n# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml\n# ASNs must be listed as ASnnnn (where nnnn is the ASN number)\n#\n# You should consider using LF_IPSET when using any of the following options\n#\n# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use\n# non-geographic IP address designations for their clients\n#\n# WARNING: Some of the CIDR lists are huge and each one requires a rule within\n# the incoming iptables chain. This can result in significant performance\n# overheads and could render the server inaccessible in some circumstances. For\n# this reason (amongst others) we do not recommend using these options\n#\n# WARNING: Due to the resource constraints on VPS servers this feature should\n# not be used on such systems unless you choose very small CC zones\n#\n# WARNING: CC_ALLOW allows access through all ports in the firewall. For this\n# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is\n# preferred\n#\n# Each option is a comma separated list of CC's, e.g. \"US,GB,DE\"\nCC_DENY = \"\"\nCC_ALLOW = \"\"\nCN. To do so; our config will look like the following:CC_DENY = \"CN\"\nCC_ALLOW = \"\"\n, delimiter between each country.CC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\nCC_DENY = \"CN\"\nCC_ALLOW = \"US,GB,DE\"\n-ra, --restartallsudo csf -ra\n/etc/csf/csf.conf and change UI_IP. This specifies the IP address that the CSF WebUI will bind to. By default, the value is empty and binds CSF's WebUI to all IPs on your server.UI_IP = \"\"\n::IPv6:IPv4UI_IP = \"::ffff:172.17.0.1\"\ncsf.domain.com. Open up your Traefik's dynamic.yml and add the following:http:\n middlewares:\n csf-http:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"http\"\n middlewares:\n - https-redirect@file\n\n csf-https:\n service: \"csf\"\n rule: \"Host(`csf.{{ env \"SERVER_DOMAIN\" }}`)\"\n entryPoints:\n - \"https\"\n middlewares:\n - authentik@file\n - whitelist@file\n - geoblock@file\n tls:\n certResolver: cloudflare\n domains:\n - main: \"{{ env \"SERVER_DOMAIN\" }}\"\n sans:\n - \"*.{{ env \"SERVER_DOMAIN\" }}\"\nhttp -> services. Change the ip and port if you have different values:http:\n middlewares:\n [CODE FROM ABOVE]\n services:\n csf:\n loadBalancer:\n servers:\n - url: \"https://172.17.0.1:8546/\"\ndocker-compose.yml, you can cd into the folder with the docker-compose.yml file and then execute:docker compose down && docker compose up -d\nsudo nano /patch/docker.sh\nDOCKER_INT=\"docker0\"\nNETWORK_MANUAL_MODE=\"false\"\nNETWORK_ADAPT_NAME=\"traefik\"\nCSF_FILE_ALLOW=\"/etc/csf/csf.allow\"\nCSF_COMMENT=\"Docker container whitelist\"\nDEBUG_ENABLED=\"true\"\n\n# #\n# list > network ips\n#\n# this is the list of IP addresses you will use with docker that must be\n# whitelisted.\n# #\n\nIP_CONTAINERS=(\n '172.17.0.0/16'\n)\ndocker0 docker0, however, it can be changed. You can find a list of these by running the commandip link show\n4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default \n link/ether 01:af:fd:1a:a1:2f ard ff:ff:ff:ff:ff:ff\nfalse true if you are manually assigning external: true for each docker container within your docker-compose.yml.networks:\n my-docker-network:\n name: my-docker-network\n external: true\nNETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\nNETWORK_MANUAL_MODE=\"true\"; ensure you configure the setting NETWORK_ADAPT_NAMEtraefik docker-compose.yml. Requires NETWORK_MANUAL_MODE=\"true\"networks:\n my-docker-network:\n name: my-docker-network\n external: true\nNETWORK_MANUAL_MODE=\"true\"\nNETWORK_ADAPT_NAME=\"my-docker-network\"\nsudo nano /patch/openvpn.sh\ncd $HOME/Documents\ngit installed so that we can use it to fetch the patch:sudo apt-get install git\ngit clone https://github.com/Aetherinox/csf-firewall.git\ninstall.sh file by running the command:sudo chmod +x /patch/install.sh\n