Ticket #670: csf.conf.txt

File csf.conf.txt, 71.0 KB (added by chris, 3 years ago)

/etc/csf/csf.conf

Line 
1###############################################################################
2# SECTION:Initial Settings
3###############################################################################
4# ConfigServer Firewall & Security Configuration File
5#
6# Copyright 2006-2013, Way to the Web Limited
7# URL: http://www.configserver.com
8# Email: sales@waytotheweb.com
9###############################################################################
10
11# Testing flag - enables a CRON job that clears iptables incase of
12# configuration problems when you start csf. This should be enabled until you
13# are sure that the firewall works - i.e. incase you get locked out of your
14# server! Then do remember to set it to 0 and restart csf when you're sure
15# everything is OK. Stopping csf will remove the line from /etc/crontab
16#
17# lfd will not start while this is enabled
18TESTING = "0"
19
20# The interval for the crontab in minutes. Since this uses the system clock the
21# CRON job will run at the interval past the hour and not from when you issue
22# the start command. Therefore an interval of 5 minutes means the firewall
23# will be cleared in 0-5 minutes from the firewall start
24TESTING_INTERVAL = "5"
25
26# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
27# runs once per day to see if there is an update to csf+lfd and upgrades if
28# available and restarts csf and lfd
29#
30# You should check for new version announcements at http://blog.configserver.com
31AUTO_UPDATES = "0"
32
33###############################################################################
34# SECTION:IPv4 Port Settings
35###############################################################################
36# Lists of ports in the following comma separated lists can be added using a
37# colon (e.g. 30000:35000).
38
39# Allow incoming TCP ports
40TCP_IN = "20,21,22,37,53,80,443,2401,5280,9418,30000:50000"
41
42# Allow outgoing TCP ports
43TCP_OUT = "20,21,22,25,37,53,80,110,143,443,465,587,873,993,995,1129,2401,3306,5280,9418,11371,27017,30000:50000"
44
45# Allow incoming UDP ports
46UDP_IN = "20,21,53,123,161,33434:33523,60000:60040"
47
48# Allow outgoing UDP ports
49# To allow outgoing traceroute add 33434:33523 to this list
50UDP_OUT = "20,21,53,113,123,161,33434:33523,60000:60040"
51
52# Allow incoming PING
53ICMP_IN = "0"
54
55# Set the per IP address incoming ICMP packet rate
56# To disable rate limiting set to "0"
57ICMP_IN_RATE = "1/s"
58
59# Allow outgoing PING
60ICMP_OUT = "1"
61
62# Set the per IP address outgoing ICMP packet rate (hits per second allowed),
63# e.g. "1/s"
64# To disable rate limiting set to "0"
65ICMP_OUT_RATE = "1/s"
66
67###############################################################################
68# SECTION:IPv6 Port Settings
69###############################################################################
70# IPv6: (Requires ip6tables)
71#
72# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
73# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
74#
75# Supported:
76# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
77# PACKET_FILTER, WATCH_MODE, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*
78#
79# Not supported:
80# DYNDNS, CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, SYNFLOOD, PORTFLOOD, DYNDNS,
81# ICMP_IN, ICMP_OUT, LF_NETBLOCK, MESSENGER, CC_IGNORE, CONNLIMIT,
82# CC_ALLOW_PORTS, CC_DENY_PORTS
83#
84# Partially supported:
85# CC_LOOKUPS - reverse DNS only and requires the perl module Socket6 from cpan
86#
87# MESSENGER service - not supported: no REDIRECT support in ip6tables as yet
88#
89IPV6 = "0"
90
91# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
92# traffic in the INPUT and OUTPUT chains. However, this could increase the risk
93# of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
94# connection types
95IPV6_ICMP_STRICT = "0"
96
97# Pre v2.6.20 kernel must set this option to "0" as no working state module is
98# present, so a static firewall is configured as a fallback
99#
100# A workaround has been added for CentOS/RedHat v5 and custom kernels that do
101# not support IPv6 connection tracking by opening ephemeral port range
102# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
103# same workaround implemented by RedHat in the sample default IPv6 rules
104#
105# Because connection tracking does not work on such kernels, applications that
106# rely on it (e.g. apache, passive ftp, etc) will not function unless you open
107# all outgoing ports. To do this set the following:
108#
109# TCP6_OUT = "0:65535"
110# UDP6_OUT = "0:65535"
111#
112# If you allow incoming ipv6 DNS lookups you will need to use the following
113# directive in the options{} section of your named.conf:
114#
115#        query-source-v6 port 53;
116#
117# This will force ipv6 incoming DNS traffic only through port 53
118#
119# These changes are not necessary if the SPI firewall is used
120IPV6_SPI = "1"
121
122# Allow incoming IPv6 TCP ports
123TCP6_IN = "53"
124
125# Allow outgoing TCP ports
126TCP6_OUT = "53"
127
128# Allow incoming UDP ports
129UDP6_IN = "53"
130
131# Allow outgoing UDP ports
132# To allow outgoing traceroute add 33434:33523 to this list
133UDP6_OUT = "53"
134
135###############################################################################
136# SECTION:General Settings
137###############################################################################
138# By default, csf will auto-configure iptables to filter all traffic except on
139# the loopback device. If you only want iptables rules applied to a specific
140# NIC, then list it here (e.g. eth1, or eth+)
141ETH_DEVICE = ""
142
143# By adding a device to this option, ip6tables can be configured only on the
144# specified device. Otherwise, ETH_DEVICE and then the default setting will be
145# used
146ETH6_DEVICE = ""
147
148# If you don't want iptables rules applied to specific NICs, then list them in
149# a comma separated list (e.g "eth1,eth2")
150ETH_DEVICE_SKIP = ""
151
152# To switch from the deprecated iptables "state" module to the "conntrack"
153# module, change this to 1
154USE_CONNTRACK = "1"
155
156# Check whether syslog is running. Many of the lfd checks require syslog to be
157# running correctly. This test will send a coded message to syslog every
158# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded
159# message. If it fails to do so within SYSLOG_CHECK seconds an alert using
160# syslogalert.txt is sent
161#
162# A value of betwen 300 and 3600 seconds is suggested. Set to 0 to disable
163SYSLOG_CHECK = "0"
164
165# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses
166# listed in csf.allow in addition to csf.ignore (the default). This option
167# should be used with caution as it would mean that IP's allowed through the
168# firewall from infected PC's could launch attacks on the server that lfd
169# would ignore
170IGNORE_ALLOW = "0"
171
172# Enable the following option if you want to apply strict iptables rules to DNS
173# traffic (i.e. relying on iptables connection tracking). Enabling this option
174# could cause DNS resolution issues both to and from the server but could help
175# prevent abuse of the local DNS server
176DNS_STRICT = "0"
177
178# Enable the following option if you want to apply strict iptables rules to DNS
179# traffic between the server and the nameservers listed in /etc/resolv.conf
180# Enabling this option could cause DNS resolution issues both to and from the
181# server but could help prevent abuse of the local DNS server
182DNS_STRICT_NS = "0"
183
184# Limit the number of IP's kept in the /etc/csf/csf.deny file. This can be
185# important as a large number of IP addresses create a large number of iptables
186# rules (4 times the number of IP's) which can cause problems on some systems
187# where either the the number of iptables entries has been limited (esp VPS's)
188# or where resources are limited. This can result in slow network performance,
189# or, in the case of iptables entry limits, can prevent your server from
190# booting as not all the required iptables chain settings will be correctly
191# configured. The value set here is the maximum number of IPs/CIDRs allowed
192# if the limit is reached, the entries will be rotated so that the oldest
193# entries (i.e. the ones at the top) will be removed and the latest is added.
194# The limit is only checked when using csf -d (which is what lfd also uses)
195# Set to 0 to disable limiting
196DENY_IP_LIMIT = "100"
197
198# Limit the number of IP's kept in the temprary IP ban list. If the limit is
199# reached the oldest IP's in the ban list will be removed and allowed
200# regardless of the amount of time remaining for the block
201# Set to 0 to disable limiting
202DENY_TEMP_IP_LIMIT = "100"
203
204# Enable login failure detection daemon (lfd). If set to 0 none of the
205# following settings will have any effect as the daemon won't start.
206LF_DAEMON = "1"
207
208# Check whether csf appears to have been stopped and restart if necessary,
209# unless TESTING is enabled above. The check is done every 300 seconds
210LF_CSF = "1"
211
212# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
213# IP6TABLES_RESTORE in two ways:
214#
215# 1. On a clean server reboot the entire csf iptables configuration is saved
216#    and then restored where possible to provide a near instant firewall
217#    startup[*]
218#
219# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
220#    BOGON, TOR are loaded using this method in a fraction of the time than if
221#    this setting is disabled
222#
223# [*]Not supported on all OS platforms
224#
225# Set to "0" to disable this functionality
226FASTSTART = "0"
227
228# If you enable this option then whenever a CLI request to restart csf is used
229# lfd will restart csf instead within LF_PARSE seconds
230#
231# This feature can be helpful for restarting configurations that cannot use
232# FASTSTART
233LFDSTART = "1"
234
235# Enable verbose output of iptables commands
236VERBOSE = "1"
237
238# Enable packet filtering for unwanted or illegal packets. This will drop
239# packets that iptables has deemed INVALID (i.e. there is no established TCP
240# connection in the state table), or if the TCP flags in the packet are out of
241# sequence or illegal in the protocol exchange.
242#
243# If you see packets being dropped that you would rather allow then disable
244# this option by setting it to "0"
245PACKET_FILTER = "1"
246
247# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)
248LF_LOOKUPS = "1"
249
250###############################################################################
251# SECTION:SMTP Settings
252###############################################################################
253# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
254# to use the exim/sendmail binary instead of sockets access). This replaces the
255# protection as WHM > Tweak Settings > SMTP Tweaks
256#
257# This option uses the iptables ipt_owner/xt_owner module and must be loaded
258# for it to work. It may not be available on some VPS platforms
259#
260# Note: Run /etc/csf/csftest.pl to check whether this option will function on
261# this server
262SMTP_BLOCK = "0"
263
264# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
265# on the server (e.g. for webmail or web scripts) then enable this option to
266# allow outgoing SMTP connections to the loopback device
267SMTP_ALLOWLOCAL = "1"
268
269# This is a comma separated list of the ports to block. You should list all
270# ports that exim is configured to listen on
271SMTP_PORTS = "25"
272
273# Always allow the following comma separated users and groups to bypass
274# SMTP_BLOCK
275#
276# Note: root (UID:0) is always allowed
277SMTP_ALLOWUSER = ""
278SMTP_ALLOWGROUP = "mail,mailman"
279
280###############################################################################
281# SECTION:Port Flood Settings
282###############################################################################
283# Enable SYN Flood Protection. This option configures iptables to offer some
284# protection from tcp SYN packet DOS attempts. You should set the RATE so that
285# false-positives are kept to a minimum otherwise visitors may see connection
286# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
287# man page for the correct --limit rate syntax
288#
289# Note: This option should ONLY be enabled if you know you are under a SYN
290# flood attack as it will slow down all new connections from any IP address to
291# the server if triggered
292SYNFLOOD = "1"
293SYNFLOOD_RATE = "100/s"
294SYNFLOOD_BURST = "150"
295
296# Connection Limit Protection. This option configures iptables to offer more
297# protection from DOS attacks against specific ports. It can also be used as a
298# way to simply limit resource usage by IP address to specific server services.
299# This option limits the number of concurrent new connections per IP address
300# that can be made to specific ports
301#
302# This feature does not work on servers that do not have the iptables module
303# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
304# server admins should check with their VPS host provider that the iptables
305# module is included
306#
307# For further information and syntax refer to the Connection Limit Protection
308# section of the csf readme.txt
309#
310# Note: Run /etc/csf/csftest.pl to check whether this option will function on
311# this server
312CONNLIMIT = "22;19,80;19,443;19,53;5"
313
314# Port Flood Protection. This option configures iptables to offer protection
315# from DOS attacks against specific ports. This option limits the number of
316# new connections per time interval that can be made to specific ports
317#
318# This feature does not work on servers that do not have the iptables module
319# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
320# server admins should check with their VPS host provider that the iptables
321# module is included
322#
323# For further information and syntax refer to the Port Flood Protection
324# section of the csf readme.txt
325#
326# Note: Run /etc/csf/csftest.pl to check whether this option will function on
327# this server
328PORTFLOOD = "22;tcp;9;29,1433;tcp;1;900"
329
330###############################################################################
331# SECTION:Logging Settings
332###############################################################################
333# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
334# perl module Sys::Syslog installed to use this feature
335SYSLOG = "0"
336
337# Drop target for iptables rules. This can be set to either DROP ot REJECT.
338# REJECT will send back an error packet, DROP will not respond at all. REJECT
339# is more polite, however it does provide extra information to a hacker and
340# lets them know that a firewall is blocking their attempts. DROP hangs their
341# connection, thereby frustrating attempts to port scan the server.
342DROP = "DROP"
343
344# Enable logging of dropped connections to blocked ports to syslog, usually
345# /var/log/messages. This option needs to be enabled to use Port Scan Tracking
346DROP_LOGGING = "1"
347
348# Enable logging of dropped incoming connections from blocked IP addresses
349#
350# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
351DROP_IP_LOGGING = "0"
352
353# Enable logging of dropped outgoing connections. Where available, these logs
354# will also include the UID connecting out which can help track abuse
355#
356# Note: Only outgoing SYN packets for TCP connections are logged, other
357# protocols log all packets
358#
359# We recommend that you enable this option
360DROP_OUT_LOGGING = "1"
361
362# Only log incoming reserved port dropped connections (0:1023). This can reduce
363# the amount of log noise from dropped connections, but will affect options
364# such as Port Scan Tracking (PS_INTERVAL)
365DROP_ONLYRES = "0"
366
367# Commonly blocked ports that you do not want logging as they tend to just fill
368# up the log file. These ports are specifically blocked (applied to TCP and UDP
369# protocols) for incoming connections
370DROP_NOLOG = "67,68,111,113,135:139,445,500,513,520"
371
372# Log packets dropped by the packet filtering option PACKET_FILTER
373DROP_PF_LOGGING = "0"
374
375# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
376# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
377# addresses breaking the Connection Limit Protection will be blocked
378CONNLIMIT_LOGGING = "0"
379
380# Send an alert if log file flooding is detected which causes lfd to skip log
381# lines to prevent lfd from looping. If this alert is sent you should check the
382# reported log file for the reason for the flooding
383LOGFLOOD_ALERT = "1"
384
385# Configure csf to watch IP addresses (with csf -w [ip]). This option will add
386# overhead to packet traversal through iptables and syslog logging, so should
387# only be enabled while actively watching IP addresses. See readme.txt for more
388# information on the use of this option
389WATCH_MODE = "0"
390
391###############################################################################
392# SECTION:Reporting Settings
393###############################################################################
394# By default, lfd will send alert emails using the relevant alert template to
395# the To: address configured within that template. Setting the following
396# option will override the configured To: field in all lfd alert emails
397#
398# Leave this option empty to use the To: field setting in each alert template
399LF_ALERT_TO = "chris@webarchitects.co.uk"
400
401# By default, lfd will send alert emails using the relevant alert template from
402# the From: address configured within that template. Setting the following
403# option will override the configured From: field in all lfd alert emails
404#
405# Leave this option empty to use the From: field setting in each alert template
406LF_ALERT_FROM = ""
407
408# By default, lfd will send all alerts using the SENDMAIL binary. To send using
409# SMTP directly, you can set the following to a relaying SMTP server, e.g.
410# "127.0.0.1". Leave this setting blank to use SENDMAIL
411LF_ALERT_SMTP = ""
412
413# Block Reporting. lfd can run an external script when it performs and IP
414# address block following for example a login failure. The following setting
415# is to the full path of the external script which must be executable. See
416# readme.txt for format details
417#
418# Leave this setting blank to disable
419BLOCK_REPORT = ""
420
421# To also run an external script when a temporary block is unblocked. The
422# following setting can be the full path of the external script which must be
423# executable. See readme.txt for format details
424#
425# Leave this setting blank to disable
426UNBLOCK_REPORT = ""
427
428# In addition to the standard lfd email alerts, you can additionally enable the
429# sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only
430# block alert messages will be sent.
431#
432# These reports are in a format accepted by many Netblock owners and should
433# help them investigate abuse. This option is not designed to automatically
434# forward these reports to the Netblock owners and should be checked for
435# false-positive blocks before reporting
436#
437# Note: The following block types are not reported through this feature:
438#       LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
439X_ARF = "0"
440
441# By default, lfd will send emails from the root forwarder. Setting the
442# following option will override this
443X_ARF_FROM = ""
444
445# By default, lfd will send emails to the root forwarder. Setting the following
446# option will override this
447X_ARF_TO = "chris@webarchitects.co.uk"
448
449###############################################################################
450# SECTION:Temp to Perm/Netblock Settings
451###############################################################################
452# Temporary to Permanent IP blocking. The following enables this feature to
453# permanently block IP addresses that have been temporarily blocked more than
454# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
455# LF_PERMBLOCK  to "1" to enable this feature
456#
457# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
458# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
459# (TTL) for blocked IPs, to be effective
460#
461# Set LF_PERMBLOCK to "0" to disable this feature
462LF_PERMBLOCK = "1"
463LF_PERMBLOCK_INTERVAL = "86400"
464LF_PERMBLOCK_COUNT = "4"
465LF_PERMBLOCK_ALERT = "1"
466
467# Permanently block IPs by network class. The following enables this feature
468# to permanently block classes of IP address where individual IP addresses
469# within the same class LF_NETBLOCK_CLASS have already been blocked more than
470# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
471# LF_NETBLOCK  to "1" to enable this feature
472#
473# This can be an affective way of blocking DDOS attacks launched from within
474# the same networ class
475#
476# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
477# consideration is required when blocking network classes A or B
478#
479# Set LF_NETBLOCK to "0" to disable this feature
480LF_NETBLOCK = "0"
481LF_NETBLOCK_INTERVAL = "86400"
482LF_NETBLOCK_COUNT = "4"
483LF_NETBLOCK_CLASS = "C"
484LF_NETBLOCK_ALERT = "1"
485
486###############################################################################
487# SECTION:Global Lists/DYNDNS/Blocklists
488###############################################################################
489# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
490# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
491# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
492# chain, then flush and delete the old dynamic chain and rename the new chain.
493#
494# This prevents a small window of opportunity opening when an update occurs and
495# the dynamic chain is flushed for the new rules.
496#
497# This option should not be enabled on servers with long dynamic chains (e.g.
498# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
499# Virtuozzo VPS servers with a restricted numiptent value. This is because each
500# chain will effectively be duplicated while the update occurs, doubling the
501# number of iptables rules
502SAFECHAINUPDATE = "0"
503
504# If you wish to allow access from dynamic DNS records (for example if your IP
505# address changes whenever you connect to the internet but you have a dedicated
506# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
507# records in csf.dyndns and then set the following to the number of seconds to
508# poll for a change in the IP address. If the IP address has changed iptables
509# will be updated.
510#
511# A setting of 600 would check for IP updates every 10 minutes. Set the value
512# to 0 to disable the feature
513DYNDNS = "0"
514
515# To always ignore DYNDNS IP addresses in lfd blocking, set the following
516# option to 1
517DYNDNS_IGNORE = "0"
518
519# The follow Global options allow you to specify a URL where csf can grab a
520# centralised copy of an IP allow or deny block list of your own. You need to
521# specify the full URL in the following options, i.e.:
522# http://www.somelocation.com/allow.txt
523#
524# The actual retrieval of these IP's is controlled by lfd, so you need to set
525# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
526# will perform the retrieval when it runs and then again at the specified
527# interval. A sensible interval would probably be every 3600 seconds (1 hour).
528# A minimum value of 300 is enforced for LF_GLOBAL if enabled
529#
530# You do not have to specify both an allow and a deny file
531#
532# You can also configure a global ignore file for IP's that lfd should ignore
533LF_GLOBAL = "0"
534
535GLOBAL_ALLOW = ""
536GLOBAL_DENY = ""
537GLOBAL_IGNORE = ""
538
539# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
540# this to the URL of the file containing DYNDNS entries
541GLOBAL_DYNDNS = ""
542
543# Set the following to the number of seconds to poll for a change in the IP
544# address resoved from GLOBAL_DYNDNS
545GLOBAL_DYNDNS_INTERVAL = "600"
546
547# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
548# option to 1
549GLOBAL_DYNDNS_IGNORE = "0"
550
551# Blocklists are controlled by modifying /etc/csf/csf.blocklists
552#
553# If you don't want BOGON rules applied to specific NICs, then list them in
554# a comma separated list (e.g "eth1,eth2")
555LF_BOGON_SKIP = ""
556
557###############################################################################
558# SECTION:Country Code Lists and Settings
559###############################################################################
560# Country Code to CIDR allow/deny. In the following two options you can allow
561# or deny whole country CIDR ranges. The CIDR blocks are generated from the
562# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
563# and entirely relies on that service being available
564#
565# Specify the the two-letter ISO Country Code(s). The iptables rules are for
566# incoming connections only
567#
568# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
569# non-geographic IP address designations for their clients
570#
571# WARNING: Some of the CIDR lists are huge and each one requires a rule within
572# the incoming iptables chain. This can result in significant performance
573# overheads and could render the server inaccessible in some circumstances. For
574# this reason (amongst others) we do not recommend using these options
575#
576# WARNING: Due to the resource constraints on VPS servers this feature should
577# not be used on such systems unless you choose very small CC zones
578#
579# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
580# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
581# preferred
582#
583# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
584CC_DENY = ""
585CC_ALLOW = ""
586
587# An alternative to CC_ALLOW is to only allow access from the following
588# countries but still filter based on the port and packets rules. All other
589# connections are dropped
590CC_ALLOW_FILTER = ""
591
592# This option allows access from the following countries to specific ports
593# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
594#
595# Note: The rules for this feature are inserted after the allow and deny
596# rules to still allow blocking of IP addresses
597#
598# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
599CC_ALLOW_PORTS = ""
600
601# All listed ports should be removed from TCP_IN/UDP_IN to block access from
602# elsewhere. This option uses the same format as TCP_IN/UDP_IN
603#
604# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
605# then only counties listed in CC_ALLOW_PORTS can access FTP
606CC_ALLOW_PORTS_TCP = ""
607CC_ALLOW_PORTS_UDP = ""
608
609# This option denies access from the following countries to specific ports
610# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
611#
612# Note: The rules for this feature are inserted after the allow and deny
613# rules to still allow allowing of IP addresses
614#
615# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
616CC_DENY_PORTS = ""
617
618# This option uses the same format as TCP_IN/UDP_IN. The ports listed should
619# NOT be removed from TCP_IN/UDP_IN
620#
621# An example would be to list port 21 here then counties listed in
622# CC_DENY_PORTS cannot access FTP
623CC_DENY_PORTS_TCP = ""
624CC_DENY_PORTS_UDP = ""
625
626# This Country Code list will prevent lfd from blocking IP address hits for the
627# listed CC's. This option could cause performance issues and is generally not
628# recommended
629CC_IGNORE = ""
630
631# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
632# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
633# help reduce the number of CC entries and may improve iptables throughput.
634# Obviously, this will deny/allow fewer IP addresses depending on how small you
635# configure the option
636#
637# For example, to ignore all CIDR (and single IP) entries small than a /16, set
638# this option to "16". Set to "" to block all CC IP addresses
639CC_DROP_CIDR = ""
640
641# Display Country Code and Country for reported IP addresses. This option can
642# be configured to use the MaxMind Country Database or the more detailed (and
643# much larger and therefore slower) MaxMind City Database
644#
645# "0" - disable
646# "1" - Reports: Country Code and Country
647# "2" - Reports: Country Code and Country and Region and City
648CC_LOOKUPS = "1"
649
650# This option tells lfd how often to retrieve the Maxmind GeoLite Country
651# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
652# days)
653CC_INTERVAL = "7"
654
655###############################################################################
656# SECTION:Login Failure Blocking and Alerts
657###############################################################################
658# The following[*] triggers are application specific. If you set LF_TRIGGER to
659# "0" the value of each trigger is the number of failures against that
660# application that will trigger lfd to block the IP address
661#
662# If you set LF_TRIGGER to a value greater than "0" then the following[*]
663# application triggers are simply on or off ("0" or "1") and the value of
664# LF_TRIGGER is the total cumulative number of failures that will trigger lfd
665# to block the IP address
666#
667# Setting the application trigger to "0" disables it
668LF_TRIGGER = "0"
669
670# If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
671# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
672# "1" and the IP address will be blocked temporarily for that value in seconds.
673# For example:
674# LF_TRIGGER_PERM = "1" => the IP is blocked permanently
675# LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
676#
677# If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
678# in the same way as above and LF_TRIGGER_PERM serves no function
679LF_TRIGGER_PERM = "1"
680
681# To only block access to the failed application instead of a complete block
682# for an ip address, you can set the following to "1", but LF_TRIGGER must be
683# set to "0" with specific application[*] trigger levels also set appropriately
684LF_SELECT = "0"
685
686# Send an email alert if an IP address is blocked by one of the [*] triggers
687LF_EMAIL_ALERT = "1"
688
689# [*]Enable login failure detection of sshd connections
690LF_SSHD = "5"
691LF_SSHD_PERM = "1"
692
693# [*]Enable login failure detection of ftp connections
694LF_FTPD = "10"
695LF_FTPD_PERM = "1"
696
697# [*]Enable login failure detection of SMTP AUTH connections
698LF_SMTPAUTH = "5"
699LF_SMTPAUTH_PERM = "1"
700
701# [*]Enable login failure detection of pop3 connections
702LF_POP3D = "0"
703LF_POP3D_PERM = "1"
704
705# [*]Enable login failure detection of imap connections
706LF_IMAPD = "0"
707LF_IMAPD_PERM = "1"
708
709# [*]Enable login failure detection of Apache .htpasswd connections
710# Due to the often high logging rate in the Apache error log, you might want to
711# enable this option only if you know you are suffering from attacks against
712# password protected directories
713LF_HTACCESS = "0"
714LF_HTACCESS_PERM = "1"
715
716# [*]Enable failure detection of repeated Apache mod_security rule triggers
717LF_MODSEC = "0"
718LF_MODSEC_PERM = "1"
719
720# [*]Enable detection of repeated BIND denied requests
721# This option should be enabled with care as it will prevent blocked IPs from
722# resolving any domains on the server. You might want to set the trigger value
723# reasonably high to avoid this
724# Example: LF_BIND = "100"
725LF_BIND = "0"
726LF_BIND_PERM = "1"
727
728# [*]Enable detection of repeated suhosin ALERTs
729# Example: LF_SUHOSIN = "5"
730LF_SUHOSIN = "0"
731LF_SUHOSIN_PERM = "1"
732
733# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
734# This option will block IP addresses if cxs detects a hits from the
735# ModSecurity rule associated with it
736#
737# Note: This option takes precedence over LF_MODSEC and removes any hits
738# counted towards LF_MODSEC for the cxs rule
739#
740# This setting should probably set very low, perhaps to 1, if you want to
741# effectively block IP addresses for this trigger option
742LF_CXS = "0"
743LF_CXS_PERM = "1"
744
745# [*]Enable detection of repeated Apache mod_qos rule triggers
746LF_QOS = "0"
747LF_QOS_PERM = "1"
748
749# [*]Enable detection of repeated Apache symlink race condition triggers from
750# the Apache patch provided by:
751# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
752# This patch has also been included by cPanel via the easyapache option:
753# "Symlink Race Condition Protection"
754LF_SYMLINK = "0"
755LF_SYMLINK_PERM = "1"
756
757# [*]Enable login failure detection of webmin connections
758LF_WEBMIN = "0"
759LF_WEBMIN_PERM = "1"
760
761# Send an email alert if anyone logs in successfully using SSH
762LF_SSH_EMAIL_ALERT = "1"
763
764# Send an email alert if anyone uses su to access another account. This will
765# send an email alert whether the attempt to use su was successful or not
766LF_SU_EMAIL_ALERT = "1"
767
768# Send an email alert if anyone accesses webmin
769LF_WEBMIN_EMAIL_ALERT = "0"
770
771# Send an email alert if anyone logs in successfully to root on the console
772LF_CONSOLE_EMAIL_ALERT = "1"
773
774# This option will keep track of the number of "File does not exist" errors in
775# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
776# seconds then the IP address will be blocked
777#
778# Care should be used with this option as it could generate many
779# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
780# so only use this option if you know you are under this type of attack
781#
782# A sensible setting for this would be quite high, perhaps 200
783#
784# To disable set to "0"
785LF_APACHE_404 = "0"
786
787# If this option is set to 1 the blocks will be permanent
788# If this option is > 1, the blocks will be temporary for the specified number
789# of seconds
790LF_APACHE_404_PERM = "3600"
791
792# This option will keep track of the number of "client denied by server
793# configuration" errors in HTACCESS_LOG. If the number of hits is more than
794# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
795#
796# Care should be used with this option as it could generate many
797# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
798# so only use this option if you know you are under this type of attack
799#
800# A sensible setting for this would be quite high, perhaps 200
801#
802# To disable set to "0"
803LF_APACHE_403 = "0"
804
805# If this option is set to 1 the blocks will be permanent
806# If this option is > 1, the blocks will be temporary for the specified number
807# of seconds
808LF_APACHE_403_PERM = "3600"
809
810# System Exploit Checking. This option is designed to perform a series of tests
811# to send an alert in case a possible server compromise is detected
812#
813# To enable this feature set the following to the checking interval in seconds
814# (a value of 300 would seem sensible).
815#
816# To disable set to "0"
817LF_EXPLOIT = "300"
818
819# This comma separated list allows you to ignore tests LF_EXPLOIT performs
820#
821# For the SUPERUSER check, you can list usernames in csf.suignore to have them
822# ignored for that test
823#
824# Valid tests are:
825# SUPERUSER,SSHDSPAM
826#
827# If you want to ignore a test add it to this as a comma separated list, e.g.
828# "SUPERUSER,SSHDSPAM"
829LF_EXPLOIT_IGNORE = ""
830
831# Set the time interval to track login and other LF_ failures within (seconds),
832# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
833LF_INTERVAL = "300"
834
835# This is how long the lfd process sleeps (in seconds) before processing the
836# log file entries and checking whether other events need to be triggered
837LF_PARSE = "5"
838
839# This is the interval that is used to flush reports of usernames, files and
840# pids so that persistent problems continue to be reported, in seconds.
841# A value of 3600 seems sensible
842LF_FLUSH = "3600"
843
844# Under some circumstances iptables can fail to include a rule instruction,
845# especially if more than one request is made concurrently. In this event, a
846# permanent block entry may exist in csf.deny, but not in iptables.
847#
848# This option instructs csf to deny an already blocked IP address the number
849# of times set. The downside, is that there will be multiple entries for an IP
850# address in csf.deny and possibly multiple rules for the same IP address in
851# iptables. This needs to be taken into consideration when unblocking such IP
852# addresses.
853#
854# Set to "0" to disable this feature. Do not set this too high for the reasons
855# detailed above (e.g. "5" should be more than enough)
856LF_REPEATBLOCK = "0"
857
858# By default csf will create both an inbound and outbound blocks from/to an IP
859# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
860# effective way to block IP traffic. This option instructs csf to only block
861# inbound traffic from those IP's and so reduces the number of iptables rules,
862# but at the expense of less effectiveness. For this reason we recommend
863# leaving this option disabled
864#
865# Set to "0" to disable this feature - the default
866LF_BLOCKINONLY = "0"
867
868###############################################################################
869# SECTION:Directory Watching & Integrity
870###############################################################################
871# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm
872# directories for suspicious files, i.e. script exploits. If a suspicious
873# file is found an email alert is sent. One alert per file per LF_FLUSH
874# interval is sent
875#
876# To enable this feature set the following to the checking interval in seconds.
877# To disable set to "0"
878LF_DIRWATCH = "300"
879
880# To remove any suspicious files found during directory watching, enable the
881# following. These files will be appended to a tarball in
882# /var/lib/csf/suspicious.tar
883LF_DIRWATCH_DISABLE = "0"
884
885# This option allows you to have lfd watch a particular file or directory for
886# changes and should they change and email alert using watchalert.txt is sent
887#
888# To enable this feature set the following to the checking interval in seconds
889# (a value of 60 would seem sensible) and add your entries to csf.dirwatch
890#
891# Set to disable set to "0"
892LF_DIRWATCH_FILE = "0"
893
894# System Integrity Checking. This enables lfd to compare md5sums of the
895# servers OS binary application files from the time when lfd starts. If the
896# md5sum of a monitored file changes an alert is sent. This option is intended
897# as an IDS (Intrusion Detection System) and is the last line of detection for
898# a possible root compromise.
899#
900# There will be constant false-positives as the servers OS is updated or
901# monitored application binaries are updated. However, unexpected changes
902# should be carefully inspected.
903#
904# Modified files will only be reported via email once.
905#
906# To enable this feature set the following to the checking interval in seconds
907# (a value of 3600 would seem sensible). This option may increase server I/O
908# load onto the server as it checks system binaries.
909#
910# To disable set to "0"
911LF_INTEGRITY = "3600"
912
913###############################################################################
914# SECTION:Distributed Attacks
915###############################################################################
916# Distributed Account Attack. This option will keep track of login failures
917# from distributed IP addresses to a specific application account. If the
918# number of failures matches the trigger value above, ALL of the IP addresses
919# involved in the attack will be blocked according to the temp/perm rules above
920#
921# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD,
922# LF_HTACCESS
923LF_DISTATTACK = "1"
924
925# Set the following to the minimum number of unique IP addresses that trigger
926# LF_DISTATTACK
927LF_DISTATTACK_UNIQ = "3"
928
929# Distributed FTP Logins. This option will keep track of successful FTP logins.
930# If the number of successful logins to an individual account is at least
931# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
932# then all of the IP addresses will be blocked
933#
934# This option can help mitigate the common FTP account compromise attacks that
935# use a distributed network of zombies to deface websites
936#
937# A sensible setting for this might be 5, depending on how many different
938# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL
939#
940# To disable set to "0"
941LF_DISTFTP = "5"
942
943# Set the following to the minimum number of unique IP addresses that trigger
944# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
945LF_DISTFTP_UNIQ = "5"
946
947# If this option is set to 1 the blocks will be permanent
948# If this option is > 1, the blocks will be temporary for the specified number
949# of seconds
950LF_DISTFTP_PERM = "900"
951
952# Distributed SMTP Logins. This option will keep track of successful SMTP
953# logins. If the number of successful logins to an individual account is at
954# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP
955# addresses, then all of the IP addresses will be blocked. These options only
956# apply to the exim MTA
957#
958# This option can help mitigate the common SMTP account compromise attacks that
959# use a distributed network of zombies to send spam
960#
961# A sensible setting for this might be 5, depending on how many different
962# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL
963#
964# To disable set to "0"
965LF_DISTSMTP = "0"
966
967# Set the following to the minimum number of unique IP addresses that trigger
968# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
969LF_DISTSMTP_UNIQ = "3"
970
971# If this option is set to 1 the blocks will be permanent
972# If this option is > 1, the blocks will be temporary for the specified number
973# of seconds
974LF_DISTSMTP_PERM = "1"
975
976# This is the interval during which a distributed FTP or SMTP attack is
977# measured
978LF_DIST_INTERVAL = "300"
979
980###############################################################################
981# SECTION:Login Tracking
982###############################################################################
983# Block POP3 logins if greater than LT_POP3D times per hour per account per IP
984# address (0=disabled)
985#
986# This is a temporary block for the rest of the hour, afterwhich the IP is
987# unblocked
988LT_POP3D = "0"
989
990# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP
991# address (0=disabled) - not recommended for IMAP logins due to the ethos
992# within which IMAP works. If you want to use this, setting it quite high is
993# probably a good idea
994#
995# This is a temporary block for the rest of the hour, afterwhich the IP is
996# unblocked
997LT_IMAPD = "0"
998
999# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
1000# per IP
1001LT_EMAIL_ALERT = "0"
1002
1003# If LF_PERMBLOCK is enabled but you do not want this to apply to
1004# LT_POP3D/LT_IMAPD, then enable this option
1005LT_SKIPPERMBLOCK = "0"
1006
1007###############################################################################
1008# SECTION:Connection Tracking
1009###############################################################################
1010# Connection Tracking. This option enables tracking of all connections from IP
1011# addresses to the server. If the total number of connections is greater than
1012# this value then the offending IP address is blocked. This can be used to help
1013# prevent some types of DOS attack.
1014#
1015# Care should be taken with this option. It's entirely possible that you will
1016# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
1017# and HTTP so it could be quite easy to trigger, especially with a lot of
1018# closed connections in TIME_WAIT. However, for a server that is prone to DOS
1019# attacks this may be very useful. A reasonable setting for this option might
1020# be around 300.
1021#
1022# To disable this feature, set this to 0
1023CT_LIMIT = "0"
1024
1025# Connection Tracking interval. Set this to the the number of seconds between
1026# connection tracking scans
1027CT_INTERVAL = "30"
1028
1029# Send an email alert if an IP address is blocked due to connection tracking
1030CT_EMAIL_ALERT = "1"
1031
1032# If you want to make IP blocks permanent then set this to 1, otherwise blocks
1033# will be temporary and will be cleared after CT_BLOCK_TIME seconds
1034CT_PERMANENT = "0"
1035
1036# If you opt for temporary IP blocks for CT, then the following is the interval
1037# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
1038CT_BLOCK_TIME = "1800"
1039
1040# If you don't want to count the TIME_WAIT state against the connection count
1041# then set the following to "1"
1042CT_SKIP_TIME_WAIT = "0"
1043
1044# If you only want to count specific states (e.g. SYN_RECV) then add the states
1045# to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
1046#
1047# Leave this option empty to count all states against CT_LIMIT
1048CT_STATES = ""
1049
1050# If you only want to count specific ports (e.g. 80,443) then add the ports
1051# to the following as a comma separated list. E.g. "80,443"
1052#
1053# Leave this option empty to count all ports against CT_LIMIT
1054CT_PORTS = ""
1055
1056###############################################################################
1057# SECTION:Process Tracking
1058###############################################################################
1059# Process Tracking. This option enables tracking of user and nobody processes
1060# and examines them for suspicious executables or open network ports. Its
1061# purpose is to identify potential exploit processes that are running on the
1062# server, even if they are obfuscated to appear as system services. If a
1063# suspicious process is found an alert email is sent with relevant information.
1064# It is then the responsibility of the recipient to investigate the process
1065# further as the script takes no further action
1066#
1067# The following is the number of seconds a process has to be active before it
1068# is inspected. If you set this time too low, then you will likely trigger
1069# false-positives with CGI or PHP scripts.
1070# Set the value to 0 to disable this feature
1071PT_LIMIT = "0"
1072
1073# How frequently processes are checked in seconds
1074PT_INTERVAL = "60"
1075
1076# If you want process tracking to highlight php or perl scripts that are run
1077# through apache then disable the following,
1078# i.e. set it to 0
1079#
1080# While enabling this setting will reduce false-positives, having it set to 0
1081# does provide better checking for exploits running on the server
1082PT_SKIP_HTTP = "0"
1083
1084# lfd will report processes, even if they're listed in csf.pignore, if they're
1085# tagged as (deleted) by Linux. This information is provided in Linux under
1086# /proc/PID/exe. A (deleted) process is one that is running a binary that has
1087# the inode for the file removed from the file system directory. This usually
1088# happens when the binary has been replaced due to an upgrade for it by the OS
1089# vendor or another third party (e.g. cPanel). You need to investigate whether
1090# this is indeed the case to be sure that the original binary has not been
1091# replaced by a rootkit or is running an exploit.
1092#
1093# Note: If a deleted executable process is detected and reported then lfd will
1094# not report children of the parent (or the parent itself if a child triggered
1095# the report) if the parent is also a deleted executable process
1096#
1097# To stop lfd reporting such process you need to restart the daemon to which it
1098# belongs and therefore run the process using the replacement binary (presuming
1099# one exists). This will normally mean running the associated startup script in
1100# /etc/init.d/
1101#
1102# If you do want lfd to report deleted binary processes, set to 1
1103PT_DELETED = "0"
1104
1105# If a PT_DELETED event is triggered, then if the following contains the path to
1106# a script, it will be run in a child process and passed the executable, pid,
1107# account for the process, and parent pid
1108#
1109# The action script must have the execute bit and interpreter (shebang) set. An
1110# example is provided in /usr/local/csf/bin/pt_deleted_action.pl
1111#
1112# WARNING: Make sure you read and understand the potential security
1113# implications of such processes in PT_DELETED above before simply restarting
1114# such processes with a script
1115PT_DELETED_ACTION = ""
1116
1117# User Process Tracking. This option enables the tracking of the number of
1118# process any given account is running at one time. If the number of processes
1119# exceeds the value of the following setting an email alert is sent with
1120# details of those processes. If you specify a user in csf.pignore it will be
1121# ignored
1122#
1123# Set to 0 to disable this feature
1124PT_USERPROC = "0"
1125
1126# This User Process Tracking option sends an alert if any linux user process
1127# exceeds the memory usage set (MB). To ignore specific processes or users use
1128# csf.pignore
1129#
1130# Set to 0 to disable this feature
1131PT_USERMEM = "0"
1132
1133# This User Process Tracking option sends an alert if any linux user process
1134# exceeds the time usage set (seconds). To ignore specific processes or users
1135# use csf.pignore
1136#
1137# Set to 0 to disable this feature
1138PT_USERTIME = "0"
1139
1140# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or
1141# PT_USERPROC are killed
1142#
1143# Warning: We don't recommend enabling this option unless absolutely necessary
1144# as it can cause unexpected problems when processes are suddenly terminated.
1145# It can also lead to system processes being terminated which could cause
1146# stability issues. It is much better to leave this option disabled and to
1147# investigate each case as it is reported when the triggers above are breached
1148#
1149# Note: Processes that are running deleted excecutables (see PT_DELETED) will
1150# not be killed by lfd
1151PT_USERKILL = "0"
1152
1153# If you want to disable email alerts if PT_USERKILL is triggered, then set
1154# this option to 0
1155PT_USERKILL_ALERT = "0"
1156
1157# If a PT_* event is triggered, then if the following contains the path to
1158# a script, it will be run in a child process and passed the PID(s) of the
1159# process(es) in a comma separated list.
1160#
1161# The action script must have the execute bit and interpreter (shebang) set
1162PT_USER_ACTION = ""
1163
1164# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and
1165# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the
1166# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is
1167# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP
1168# seconds has passed to prevent email floods.
1169#
1170# Set PT_LOAD to "0" to disable this feature
1171PT_LOAD = "30"
1172PT_LOAD_AVG = "5"
1173PT_LOAD_LEVEL = "6"
1174PT_LOAD_SKIP = "3600"
1175
1176# This is the Apache Server Status URL used in the email alert. Requires the
1177# Apache mod_status module to be installed and configured correctly
1178PT_APACHESTATUS = "http://127.0.0.1/server-status"
1179
1180# If a PT_LOAD event is triggered, then if the following contains the path to
1181# a script, it will be run in a child process. For example, the script could
1182# contain commands to terminate and restart httpd, php, exim, etc incase of
1183# looping processes. The action script must have the execute bit an
1184# interpreter (shebang) set
1185PT_LOAD_ACTION = ""
1186
1187# Fork Bomb Protection. This option checks the number of processes with the
1188# same session id and if greater than the value set, the whole session tree is
1189# terminated and an alert sent
1190#
1191# You can see an example of common session id processes on most Linux systems
1192# using: "ps axf -O sid"
1193#
1194# On cPanel servers, PT_ALL_USERS should be enabled to use this option
1195# effectively
1196#
1197# This option will check root owned processes. Session id 0 and 1 will always
1198# be ignored as they represent kernel and init processes. csf.pignore will be
1199# honoured, but bear in mind that a session tree can contain a variety of users
1200# and executables
1201#
1202# Care needs to be taken to ensure that this option only detects runaway fork
1203# bombs, so should be set higher than any session tree is likely to get (e.g.
1204# httpd could have 100s of legitimate children on very busy systems). A
1205# sensible starting point on most servers might be 250
1206PT_FORKBOMB = "250"
1207
1208###############################################################################
1209# SECTION:Port Scan Tracking
1210###############################################################################
1211# Port Scan Tracking. This feature tracks port blocks logged by iptables to
1212# syslog. If an IP address generates a port block that is logged more than
1213# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.
1214#
1215# This feature could, for example, be useful for blocking hackers attempting
1216# to access the standard SSH port if you have moved it to a port other than 22
1217# and have removed 22 from the TCP_IN list so that connection attempts to the
1218# old port are being logged
1219#
1220# This feature blocks all iptables blocks from the iptables logs, including
1221# repeated attempts to one port or SYN flood blocks, etc
1222#
1223# Note: This feature will only track iptables blocks from the log file set in
1224# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will
1225# cause redundant blocking with DROP_IP_LOGGING enabled
1226#
1227# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)
1228# could very quickly fill the iptables rule chains and cause a DOS in itself.
1229# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks
1230# and the DENY_TEMP_IP_LIMIT with temporary blocks
1231#
1232# Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300
1233# would be sensible to enable this feature
1234PS_INTERVAL = "120"
1235PS_LIMIT = "19"
1236
1237# You can specify the ports and/or port ranges that should be tracked by the
1238# Port Scan Tracking feature. The following setting is a comma separated list
1239# of those ports and uses the same format as TCP_IN. The default setting of
1240# 0:65535,ICMP covers all ports
1241PS_PORTS = "0:65535,ICMP"
1242
1243# You can select whether IP blocks for Port Scan Tracking should be temporary
1244# or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent
1245# blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to
1246# temporarily block the IP address for
1247PS_PERMANENT = "0"
1248PS_BLOCK_TIME = "3600"
1249
1250# Set the following to "1" to enable Port Scan Tracking email alerts, set to
1251# "0" to disable them
1252PS_EMAIL_ALERT = "1"
1253
1254###############################################################################
1255# SECTION:User ID Tracking
1256###############################################################################
1257# User ID Tracking. This feature tracks UID blocks logged by iptables to
1258# syslog. If a UID generates a port block that is logged more than UID_LIMIT
1259# times within UID_INTERVAL seconds, an alert will be sent
1260#
1261# Note: This feature will only track iptables blocks from the log file set in
1262# IPTABLES_LOG and if DROP_OUT_LOGGING is enabled.
1263#
1264# To ignore specific UIDs list them in csf.uidignore and then restart lfd
1265#
1266# Set UID_INTERVAL to "0" to disable this feature. A value of between 60 and 300
1267# would be sensible to enable this feature
1268UID_INTERVAL = "0"
1269UID_LIMIT = "10"
1270
1271# You can specify the ports and/or port ranges that should be tracked by the
1272# User ID Tracking feature. The following setting is a comma separated list
1273# of those ports and uses the same format as TCP_OUT. The default setting of
1274# 0:65535,ICMP covers all ports
1275UID_PORTS = "0:65535,ICMP"
1276
1277###############################################################################
1278# SECTION:Account Tracking
1279###############################################################################
1280# Account Tracking. The following options enable the tracking of modifications
1281# to the accounts on a server. If any of the enabled options are triggered by
1282# a modifications to an account, an alert email is sent. Only the modification
1283# is reported. The cause of the modification will have to be investigated
1284# manually
1285#
1286# You can set AT_ALERT to the following:
1287# 0 = disable this feature
1288# 1 = enable this feature for all accounts
1289# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)
1290# 3 = enable this feature only for the root account
1291AT_ALERT = "2"
1292
1293# This options is the interval between checks in seconds
1294AT_INTERVAL = "60"
1295
1296# Send alert if a new account is created
1297AT_NEW = "1"
1298
1299# Send alert if an existing account is deleted
1300AT_OLD = "1"
1301
1302# Send alert if an account password has changed
1303AT_PASSWD = "1"
1304
1305# Send alert if an account uid has changed
1306AT_UID = "1"
1307
1308# Send alert if an account gid has changed
1309AT_GID = "1"
1310
1311# Send alert if an account login directory has changed
1312AT_DIR = "1"
1313
1314# Send alert if an account login shell has changed
1315AT_SHELL = "1"
1316
1317###############################################################################
1318# SECTION:Integrated User Interface
1319###############################################################################
1320# Integrated User Interface. This feature provides a HTML UI to csf and lfd,
1321# without requiring a control panel or web server. The UI runs as a sub process
1322# to the lfd daemon
1323#
1324# As it runs under the root account and successful login provides root access
1325# to the server, great care should be taken when configuring and using this
1326# feature. There are additional restrictions to enhance secure access to the UI
1327#
1328# See readme.txt for more information about using this feature BEFORE enabling
1329# it for security and access reasons
1330#
1331# 1 to enable, 0 to disable
1332UI = "0"
1333
1334# Set this to the port that want to bind this service to. You should configure
1335# this port to be >1023 and different from any other port already being used
1336#
1337# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
1338# to the port using Advanced Allow Filters (see readme.txt)
1339UI_PORT = "6666"
1340
1341# This should be a secure, hard to guess username
1342#
1343# This must be changed from the default
1344UI_USER = "username"
1345
1346# This should be a secure, hard to guess password. That is, at least 8
1347# characters long with a mixture of upper and lowercase characters plus
1348# numbers and non-alphanumeric characters
1349#
1350# This must be changed from the default
1351UI_PASS = "password"
1352
1353# This is the login session timeout. If there is no activity for a logged in
1354# session within this number of seconds, the session will timeout and a new
1355# login will be required
1356#
1357# For security reasons, you should always keep this option low (i.e 60-300)
1358UI_TIMEOUT = "300"
1359
1360# This is the maximum concurrent connections allowed to the server. The default
1361# value should be sufficient
1362UI_CHILDREN = "5"
1363
1364# The number of login retries allowed within a 24 hour period. A successful
1365# login from the IP address will clear the failures
1366#
1367# For security reasons, you should always keep this option low (i.e 0-10)
1368UI_RETRY = "5"
1369
1370# If enabled, this option will add the connecting IP address to the file
1371# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be
1372# able to login to the UI while it is listed in this file. The UI_BAN setting
1373# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,
1374# csf.ignore, etc.
1375#
1376# For security reasons, you should always enable this option
1377UI_BAN = "1"
1378
1379# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will
1380# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of
1381# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.
1382#
1383# For security reasons, you should always enable this option and use ui.allow
1384UI_ALLOW = "1"
1385
1386# If enabled, this option will trigger an iptables block through csf after
1387# UI_RETRY login failures
1388#
1389# 0 = no block;1 = perm block;nn=temp block for nn secs
1390UI_BLOCK = "1"
1391
1392# This controls what email alerts are sent with regards to logins to the UI. It
1393# uses the uialert.txt template
1394#
1395# 4 = login success + login failure/ban/block + login attempts
1396# 3 = login success + login failure/ban/block
1397# 2 = login failure/ban/block
1398# 1 = login ban/block
1399# 0 = disabled
1400UI_ALERT = "4"
1401
1402# This is the SSL cipher list that the Integrated UI will negotiate from
1403UI_CIPHER = "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH"
1404
1405# If cxs is installed then enabling this option will provide a dropdown box to
1406# switch between applications
1407UI_CXS = "0"
1408
1409# There is a modified installation of ConfigServer Explorer (cse) provided with
1410# the csf distribution. If this option is enabled it will provide a dropdown
1411# box to switch between applications
1412UI_CSE = "0"
1413
1414###############################################################################
1415# SECTION:Messenger service
1416###############################################################################
1417# Messenger service. This feature allows the display of a message to a blocked
1418# connecting IP address to inform the user that they are blocked in the
1419# firewall. This can help when users get themselves blocked, e.g. due to
1420# multiple login failures. The service is provided by two daemons running on
1421# ports providing either an HTML or TEXT message.
1422#
1423# This feature does not work on servers that do not have the iptables module
1424# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS
1425# server admins should check with their VPS host provider that the iptables
1426# module is included.
1427#
1428# For further information on features and limitations refer to the csf
1429# readme.txt
1430#
1431# Note: Run /etc/csf/csftest.pl to check whether this option will function on
1432# this server
1433#
1434# 1 to enable, 0 to disable
1435MESSENGER = "0"
1436
1437# Provide this service to temporary IP address blocks
1438MESSENGER_TEMP = "1"
1439
1440# Provide this service to permanent IP address blocks
1441MESSENGER_PERM = "1"
1442
1443# User account to run the service servers under. We recommend creating a
1444# specific non-priv, non-shell account for this purpose
1445MESSENGER_USER = "csf"
1446
1447# This is the maximum concurrent connections allowed to each service server
1448MESSENGER_CHILDREN = "10"
1449
1450# Set this to the port that will receive the HTML message. You should configure
1451# this port to be >1023 and different from the TEXT port. Do NOT enable access
1452# to this port in TCP_IN
1453MESSENGER_HTML = "8888"
1454
1455# This comma separated list are the HTML ports that will be redirected for the
1456# blocked IP address. If you are using per application blocking (LF_TRIGGER)
1457# then only the relevant block port will be redirected to the messenger port
1458MESSENGER_HTML_IN = "80,2082,2095"
1459
1460# Set this to the port that will receive the TEXT message. You should configure
1461# this port to be >1023 and different from the HTML port. Do NOT enable access
1462# to this port in TCP_IN
1463MESSENGER_TEXT = "8889"
1464
1465# This comma separated list are the TEXT ports that will be redirected for the
1466# blocked IP address. If you are using per application blocking (LF_TRIGGER)
1467# then only the relevant block port will be redirected to the messenger port
1468MESSENGER_TEXT_IN = "21"
1469
1470# These settings limit the rate at which connections can be made to the
1471# messenger service servers. Its intention is to provide protection from
1472# attacks or excessive connections to the servers. If the rate is exceeded then
1473# iptables will revert for the duration to the normal blocking actiity
1474#
1475# See the iptables man page for the correct --limit rate syntax
1476MESSENGER_RATE = "30/m"
1477MESSENGER_BURST = "5"
1478
1479###############################################################################
1480# SECTION:lfd Clustering
1481###############################################################################
1482# lfd Clustering. This allows the configuration of an lfd cluster environment
1483# where a group of servers can share blocks and configuration option changes.
1484# Included are CLI and UI options to send requests to the cluster.
1485#
1486# See the readme.txt file for more information and details on setup and
1487# security risks.
1488#
1489# Comma separated list of cluster member IP addresses to send requests to
1490CLUSTER_SENDTO = ""
1491
1492# Comma separated list of cluster member IP addresses to receive requests from
1493CLUSTER_RECVFROM = ""
1494
1495# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG
1496# changes
1497CLUSTER_MASTER = ""
1498
1499# If this is a NAT server, set this to the public IP address of this server
1500CLUSTER_NAT = ""
1501
1502# If a cluster member should send requests on an IP other than the default IP,
1503# set it here
1504CLUSTER_LOCALADDR = ""
1505
1506# Cluster communication port (must be the same on all member servers). There
1507# is no need to open this port in the firewall as csf will automatically add
1508# in and out bound rules to allow communication between cluster members
1509CLUSTER_PORT = "7777"
1510
1511# This is a secret key used to encrypt cluster communications using the
1512# Blowfish algorithm. It should be between 8 and 56 characters long,
1513# preferably > 20 random characters
1514# 56 chars:    012345678901234567890123456789012345678901234567890123456
1515CLUSTER_KEY = ""
1516
1517# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those
1518# servers must have this servers IP address listed in their CLUSTER_RECVFROM
1519#
1520# Set to 0 to disable this feature
1521CLUSTER_BLOCK = "0"
1522
1523# This option allows the enabling and disabling of the Cluster configuration
1524# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the
1525# CLUSTER_MASTER server
1526#
1527# Set this option to 1 to allow Cluster configurations to be received
1528CLUSTER_CONFIG = "0"
1529
1530# Maximum number of child processes to listen on. High blocking rates or large
1531# clusters may need to increase this
1532CLUSTER_CHILDREN = "10"
1533
1534###############################################################################
1535# SECTION:Port Knocking
1536###############################################################################
1537# Port Knocking. This feature allows port knocking to be enabled on multiple
1538# ports with a variable number of knocked ports and a timeout. There must be a
1539# minimum of 3 ports to knock for an entry to be valid
1540#
1541# See the following for information regarding Port Knocking:
1542# http://www.portknocking.org/
1543#
1544# This feature does not work on servers that do not have the iptables module
1545# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
1546# server admins should check with their VPS host provider that the iptables
1547# module is included
1548#
1549# For further information and syntax refer to the Port Knocking section of the
1550# csf readme.txt
1551#
1552# Note: Run /etc/csf/csftest.pl to check whether this option will function on
1553# this server
1554#
1555# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...
1556# e.g.: 22;TCP;20;100;200;300;400
1557PORTKNOCKING = ""
1558
1559# Enable PORTKNOCKING logging by iptables
1560PORTKNOCKING_LOG = "1"
1561
1562# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must
1563# also be enabled to use this option
1564PORTKNOCKING_ALERT = "1"
1565
1566###############################################################################
1567# SECTION:Log Scanner
1568###############################################################################
1569# Log Scanner. This feature will send out an email summary of the log lines of
1570# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless
1571# they match a regular expression in /etc/csf/csf.logignore
1572#
1573# Note: lfd builds the report continuously from lines logged after lfd has
1574# started, so any lines logged when lfd is not running will not be reported
1575# (e.g. during reboot). If lfd is restarted, then the report will include any
1576# lines logged during the previous lfd logging period that weren't reported
1577#
1578# 1 to enable, 0 to disable
1579LOGSCANNER = "0"
1580
1581# This is the interval each report will be sent based on the logalert.txt
1582# template
1583#
1584# The interval can be set to:
1585# "hourly" - sent on the hour
1586# "daily"  - sent at midnight (00:00)
1587# "manual" - sent whenever "csf --logrun" is run. This allows for scheduling
1588#            via cron job
1589LOGSCANNER_INTERVAL = "hourly"
1590
1591# Report Style
1592# 1 = Separate chronological log lines per log file
1593# 2 = Simply chronological log of all lines
1594LOGSCANNER_STYLE = "1"
1595
1596# Send the report email even if no log lines reported
1597# 1 to enable, 0 to disable
1598LOGSCANNER_EMPTY = "1"
1599
1600# Maximum number of lines in the report before it is truncated. This is to
1601# prevent log lines flooding resulting in an excessively large report. This
1602# might need to be increased if you choose a daily report
1603LOGSCANNER_LINES = "5000"
1604
1605###############################################################################
1606# SECTION:Statistics Settings
1607###############################################################################
1608# Statistics
1609#
1610# Some of the Statistics output requires the gd graphics library and the
1611# GD::Graph perl module with all dependent modules to be installed for the UI
1612# for them to be displayed
1613#
1614# This option enabled statistical data gathering
1615ST_ENABLE = "1"
1616
1617# This option determines how many iptables log lines to store for reports
1618ST_IPTABLES = "100"
1619
1620# This option indicates whether rDNS and CC lookups are performed at the time
1621# the log line is recorded (this is not performed when viewing the reports)
1622#
1623# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,
1624# then enabling this setting could cause serious performance problems
1625ST_LOOKUP = "0"
1626
1627# This option will gather basic system statstics. Through the UI it displays
1628# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:
1629#  . Hourly (per minute)
1630#  . 24 hours (per minute)
1631#  . 7 days (per minute averaged over an hour)
1632#  . 30 days (per minute averaged over an hour) - user definable
1633# The data is stored in /var/lib/csf/stats/system and the option requires the
1634# perl GD::Graph module
1635#
1636# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on
1637# those systems do not store the required information in /proc/diskstats
1638# On new installations or when enabling this option it will take time for these
1639# graphs to be populated
1640ST_SYSTEM = "0"
1641
1642# Set the maximum days to collect statistics for. The default is 30 days, the
1643# more data that is collected the longer it will take for each of the graphs to
1644# be generated
1645ST_SYSTEM_MAXDAYS = "30"
1646
1647# If ST_SYSTEM is enabled, then these options can collect MySQL statistical
1648# data. To use this option the server must have the perl modules DBI and
1649# DBD::mysql installed.
1650#
1651# Set this option to "0" to disable MySQL data collection
1652ST_MYSQL = "0"
1653
1654# The following options are for authentication for MySQL data collection. If
1655# the password is left blank and the user set to "root" then the procedure will
1656# look for authentication data in /root/.my.cnf. Otherwise, you will need to
1657# provide a MySQL username and password to collect the data. Any MySQL user
1658# account can be used
1659ST_MYSQL_USER = "root"
1660ST_MYSQL_PASS = ""
1661ST_MYSQL_HOST = "localhost"
1662
1663# If ST_SYSTEM is enabled, then this option can collect Apache statistical data
1664# The value for PT_APACHESTATUS must be correctly set
1665ST_APACHE = "0"
1666
1667# The following options measure disk write performance using dd (location set
1668# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and
1669# the statistics will plot the MB/s response time of the disk. As this is an IO
1670# intensive operation, it may not be prudent to run this test too often, so by
1671# default it is only run every 5 minutes and the result duplicated for each
1672# intervening minute for the statistics
1673#
1674# This is not necessrily a good measure of disk performance, primarily because
1675# the measurements are for relatively small amounts of data over a small amount
1676# of time. To properly test disk performance there are a variety of tools
1677# available that should be run for extended periods of time to obtain an
1678# accurate measurement. This metric is provided to give an idea of how the disk
1679# is performing over time
1680#
1681# Note: There is a 15 second timeout performing the check
1682#
1683# Set to 0 to disable, 1 to enable
1684ST_DISKW = "0"
1685
1686# The number of minutes that elapse between tests. Default is 5, minimum is 1.
1687ST_DISKW_FREQ = "5"
1688
1689# This is the command line passed to dd. If you are familiar with dd, or wish
1690# to move the output file (of) to a different disk, then you can alter this
1691# command. Take great care when making any changes to this command as it is
1692# very easy to overwrite a disk using dd if you make a mistake
1693ST_DISKW_DD = "if=/dev/zero of=/etc/csf/dd_test bs=1MB count=64 conv=fdatasync"
1694
1695###############################################################################
1696# SECTION:OS Specific Settings
1697###############################################################################
1698# Binary locations
1699IPTABLES = "/sbin/iptables"
1700IPTABLES_SAVE = "/sbin/iptables-save"
1701IPTABLES_RESTORE = "/sbin/iptables-restore"
1702IP6TABLES = "/sbin/ip6tables"
1703IP6TABLES_SAVE = "/sbin/ip6tables-save"
1704IP6TABLES_RESTORE = "/sbin/ip6tables-restore"
1705MODPROBE = "/sbin/modprobe"
1706IFCONFIG = "/sbin/ifconfig"
1707SENDMAIL = "/usr/sbin/sendmail"
1708PS = "/bin/ps"
1709VMSTAT = "/usr/bin/vmstat"
1710LS = "/bin/ls"
1711MD5SUM = "/usr/bin/md5sum"
1712TAR = "/bin/tar"
1713CHATTR = "/usr/bin/chattr"
1714UNZIP = "/usr/bin/unzip"
1715GUNZIP = "/bin/gunzip"
1716DD = "/bin/dd"
1717
1718# Log file locations
1719HTACCESS_LOG = "/var/log/apache2/error.log"
1720MODSEC_LOG = "/var/log/apache2/error.log"
1721SSHD_LOG = "/var/log/auth.log"
1722SU_LOG = "/var/log/messages"
1723FTPD_LOG = "/var/log/messages"
1724SMTPAUTH_LOG = "/var/log/secure"
1725POP3D_LOG = "/var/log/mail.log"
1726IMAPD_LOG = "/var/log/mail.log"
1727IPTABLES_LOG = "/var/log/messages"
1728SUHOSIN_LOG = "/var/log/messages"
1729BIND_LOG = "/var/log/messages"
1730SYSLOG_LOG = "/var/log/messages"
1731WEBMIN_LOG = "/var/log/auth.log"
1732
1733CUSTOM1_LOG = "/var/log/messages"
1734CUSTOM2_LOG = "/var/log/messages"
1735CUSTOM3_LOG = "/var/log/messages"
1736CUSTOM4_LOG = "/var/log/messages"
1737CUSTOM5_LOG = "/var/log/messages"
1738CUSTOM6_LOG = "/var/log/messages"
1739CUSTOM7_LOG = "/var/log/messages"
1740CUSTOM8_LOG = "/var/log/messages"
1741CUSTOM9_LOG = "/var/log/messages"
1742
1743# This configuration is for use with generic Linux servers, do not change the
1744# following setting:
1745GENERIC = "1"
1746
1747# If you find ever increasing numbers of zombie lfd processes you may need to
1748# revert to the old child reaper code by enabling this option
1749OLD_REAPER = "0"
1750
1751# For internal use only. You should not enable this option as it could cause
1752# instability in csf and lfd
1753DEBUG = "0"
1754###############################################################################