I would like to ask my friends, is there any configuration error in their csf firewall?
selinux and firewalld, have their own csf configurations turned off as follows:
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Initial Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Testing flag - enables a CRON job that clears iptables incase of
-sharp configuration problems when you start csf. This should be enabled until you
-sharp are sure that the firewall works - i.e. incase you get locked out of your
-sharp server! Then do remember to set it to 0 and restart csf when you"re sure
-sharp everything is OK. Stopping csf will remove the line from /etc/crontab
-sharp
-sharp lfd will not start while this is enabled
TESTING = "0"
-sharp The interval for the crontab in minutes. Since this uses the system clock the
-sharp CRON job will run at the interval past the hour and not from when you issue
-sharp the start command. Therefore an interval of 5 minutes means the firewall
-sharp will be cleared in 0-5 minutes from the firewall start
TESTING_INTERVAL = "5"
-sharp SECURITY WARNING
-sharp ================
-sharp
-sharp Unfortunately, syslog and rsyslog allow end-users to log messages to some
-sharp system logs via the same unix socket that other local services use. This
-sharp means that any log line shown in these system logs that syslog or rsyslog
-sharp maintain can be spoofed (they are exactly the same as real log lines).
-sharp
-sharp Since some of the features of lfd rely on such log lines, spoofed messages
-sharp can cause false-positive matches which can lead to confusion at best, or
-sharp blocking of any innocent IP address or making the server inaccessible at
-sharp worst.
-sharp
-sharp Any option that relies on the log entries in the files listed in
-sharp /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
-sharp vulnerable to exploitation by end-users and scripts run by end-users.
-sharp
-sharp NOTE: Not all log files are affected as they may not use syslog/rsyslog
-sharp
-sharp The option RESTRICT_SYSLOG disables all these features that rely on affected
-sharp logs. These options are:
-sharp LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
-sharp LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
-sharp LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
-sharp PORTKNOCKING_ALERT
-sharp
-sharp This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
-sharp ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
-sharp
-sharp The following options are still enabled by default on new installations so
-sharp that, on balance, csf/lfd still provides expected levels of security:
-sharp LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
-sharp
-sharp If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
-sharp above, it should be done with the knowledge that any of the those options
-sharp that are enabled could be triggered by spoofed log lines and lead to the
-sharp server being inaccessible in the worst case. If you do not want to take that
-sharp risk you should set RESTRICT_SYSLOG to "1" and those features will not work
-sharp but you will not be protected from the exploits that they normally help block
-sharp
-sharp The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access
-sharp the syslog/rsyslog unix socket.
-sharp
-sharp For further advice on how to help mitigate these issues, see
-sharp /etc/csf/readme.txt
-sharp
-sharp 0 = Allow those options listed above to be used and configured
-sharp 1 = Disable all the options listed above and prevent them from being used
-sharp 2 = Disable only alerts about this feature and do nothing else
-sharp 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
RESTRICT_SYSLOG = "0"
-sharp The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
-sharp write access to the syslog/rsyslog unix socket(s). The group must not already
-sharp exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
-sharp to a unique name for the server
-sharp
-sharp You can add users to this group by changing /etc/csf/csf.syslogusers and then
-sharp restarting lfd afterwards. This will create the system group and add the
-sharp users from csf.syslogusers if they exist to that group and will change the
-sharp permissions on the syslog/rsyslog unix socket(s). The socket(s) will be
-sharp monitored and the permissions re-applied should syslog/rsyslog be restarted
-sharp
-sharp Using this option will prevent some legitimate logging, e.g. end-user cron
-sharp job logs
-sharp
-sharp If you want to revert RESTRICT_SYSLOG to another option and disable this
-sharp feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then
-sharp syslog/rsyslog and the unix sockets will be reset
RESTRICT_SYSLOG_GROUP = "mysyslog"
-sharp This options restricts the ability to modify settings within this file from
-sharp the csf UI. Should the parent control panel be compromised, these restricted
-sharp options could be used to further compromise the server. For this reason we
-sharp recommend leaving this option set to at least "1" and if any of the
-sharp restricted items need to be changed, they are done so from the root shell
-sharp
-sharp 0 = Unrestricted UI
-sharp 1 = Restricted UI
-sharp 2 = Disabled UI
RESTRICT_UI = "1"
-sharp Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
-sharp runs once per day to see if there is an update to csf+lfd and upgrades if
-sharp available and restarts csf and lfd
-sharp
-sharp You should check for new version announcements at http://blog.configserver.com
AUTO_UPDATES = "1"
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:IPv4 Port Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Lists of ports in the following comma separated lists can be added using a
-sharp colon (e.g. 30000:35000).
-sharp Some kernel/iptables setups do not perform stateful connection tracking
-sharp correctly (typically some virtual servers or custom compiled kernels), so a
-sharp SPI firewall will not function correctly. If this happens, LF_SPI can be set
-sharp to 0 to reconfigure csf as a static firewall.
-sharp
-sharp As connection tracking will not be configured, applications that rely on it
-sharp will not function unless all outgoing ports are opened. Therefore, all
-sharp outgoing connections will be allowed once all other tests have completed. So
-sharp TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
-sharp
-sharp If you allow incoming DNS lookups you may need to use the following
-sharp directive in the options{} section of your named.conf:
-sharp
-sharp query-source port 53;
-sharp
-sharp This will force incoming DNS traffic only through port 53
-sharp
-sharp Disabling this option will break firewall functionality that relies on
-sharp stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall
-sharp less secure
-sharp
-sharp This option should be set to "1" in all other circumstances
LF_SPI = "1"
-sharp Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,3306"
-sharp Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,3306"
-sharp Allow incoming UDP ports
UDP_IN = "20,21,53"
-sharp Allow outgoing UDP ports
-sharp To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"
-sharp Allow incoming PING. Disabling PING will likely break external uptime
-sharp monitoring
ICMP_IN = "1"
-sharp Set the per IP address incoming ICMP packet rate for PING requests. This
-sharp ratelimits PING requests which if exceeded results in silently rejected
-sharp packets. Disable or increase this value if you are seeing PING drops that you
-sharp do not want
-sharp
-sharp To disable rate limiting set to "0", otherwise set according to the iptables
-sharp documentation for the limit module. For example, "1/s" will limit to one
-sharp packet per second
ICMP_IN_RATE = "1/s"
-sharp Allow outgoing PING
-sharp
-sharp Unless there is a specific reason, this option should NOT be disabled as it
-sharp could break OS functionality
ICMP_OUT = "1"
-sharp Set the per IP address outgoing ICMP packet rate for PING requests. This
-sharp ratelimits PING requests which if exceeded results in silently rejected
-sharp packets. Disable or increase this value if you are seeing PING drops that you
-sharp do not want
-sharp
-sharp Unless there is a specific reason, this option should NOT be enabled as it
-sharp could break OS functionality
-sharp
-sharp To disable rate limiting set to "0", otherwise set according to the iptables
-sharp documentation for the limit module. For example, "1/s" will limit to one
-sharp packet per second
ICMP_OUT_RATE = "0"
-sharp For those with PCI Compliance tools that state that ICMP timestamps (type 13)
-sharp should be dropped, you can enable the following option. Otherwise, there
-sharp appears to be little evidence that it has anything to do with a security risk
-sharp and can impact network performance, so should be left disabled by everyone
-sharp else
ICMP_TIMESTAMPDROP = "0"
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:IPv6 Port Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp IPv6: (Requires ip6tables)
-sharp
-sharp Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
-sharp firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
-sharp
-sharp Supported:
-sharp Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
-sharp PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS,
-sharp SYNFLOOD, LF_NETBLOCK
-sharp
-sharp Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled
-sharp CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,
-sharp CC_ALLOW_SMTPAUTH
-sharp
-sharp Supported if ip6tables >= 1.4.3:
-sharp PORTFLOOD, CONNLIMIT
-sharp
-sharp Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is
-sharp installed:
-sharp MESSENGER DOCKER SMTP_REDIRECT
-sharp
-sharp Not supported:
-sharp ICMP_IN, ICMP_OUT
-sharp
IPV6 = "1"
-sharp IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
-sharp traffic in the INPUT and OUTPUT chains. However, this could increase the risk
-sharp of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
-sharp connection types
IPV6_ICMP_STRICT = "0"
-sharp Pre v2.6.20 kernel must set this option to "0" as no working state module is
-sharp present, so a static firewall is configured as a fallback
-sharp
-sharp A workaround has been added for CentOS/RedHat v5 and custom kernels that do
-sharp not support IPv6 connection tracking by opening ephemeral port range
-sharp 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
-sharp same workaround implemented by RedHat in the sample default IPv6 rules
-sharp
-sharp As connection tracking will not be configured, applications that rely on it
-sharp will not function unless all outgoing ports are opened. Therefore, all
-sharp outgoing connections will be allowed once all other tests have completed. So
-sharp TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.
-sharp
-sharp If you allow incoming ipv6 DNS lookups you may need to use the following
-sharp directive in the options{} section of your named.conf:
-sharp
-sharp query-source-v6 port 53;
-sharp
-sharp This will force ipv6 incoming DNS traffic only through port 53
-sharp
-sharp These changes are not necessary if the SPI firewall is used
IPV6_SPI = "1"
-sharp Allow incoming IPv6 TCP ports
TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,3306"
-sharp Allow outgoing IPv6 TCP ports
TCP6_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,3306"
-sharp Allow incoming IPv6 UDP ports
UDP6_IN = "20,21,53"
-sharp Allow outgoing IPv6 UDP ports
-sharp To allow outgoing traceroute add 33434:33523 to this list
UDP6_OUT = "20,21,53,113,123"
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:General Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp By default, csf will auto-configure iptables to filter all traffic except on
-sharp the loopback device. If you only want iptables rules applied to a specific
-sharp NIC, then list it here (e.g. eth1, or eth+)
ETH_DEVICE = ""
-sharp By adding a device to this option, ip6tables can be configured only on the
-sharp specified device. Otherwise, ETH_DEVICE and then the default setting will be
-sharp used
ETH6_DEVICE = ""
-sharp If you don"t want iptables rules applied to specific NICs, then list them in
-sharp a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP = ""
-sharp This option should be enabled unless the kernel does not support the
-sharp "conntrack" module
-sharp
-sharp To use the deprecated iptables "state" module, change this to 0
USE_CONNTRACK = "1"
-sharp Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)
-sharp instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper
-sharp This will also remove the RELATED target from the global state iptables rule
-sharp
-sharp This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or
-sharp the raw tables do not exist. The USE_CONNTRACK option should be enabled
-sharp
-sharp To enable this option, set it to your FTP server listening port number
-sharp (normally 21), do NOT set it to "1"
USE_FTPHELPER = "0"
-sharp Check whether syslog is running. Many of the lfd checks require syslog to be
-sharp running correctly. This test will send a coded message to syslog every
-sharp SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded
-sharp message. If it fails to do so within SYSLOG_CHECK seconds an alert using
-sharp syslogalert.txt is sent
-sharp
-sharp A value of between 300 and 3600 seconds is suggested. Set to 0 to disable
SYSLOG_CHECK = "0"
-sharp Enable this option if you want lfd to ignore (i.e. don"t block) IP addresses
-sharp listed in csf.allow in addition to csf.ignore (the default). This option
-sharp should be used with caution as it would mean that IP"s allowed through the
-sharp firewall from infected PC"s could launch attacks on the server that lfd
-sharp would ignore
IGNORE_ALLOW = "1"
-sharp Enable the following option if you want to apply strict iptables rules to DNS
-sharp traffic (i.e. relying on iptables connection tracking). Enabling this option
-sharp could cause DNS resolution issues both to and from the server but could help
-sharp prevent abuse of the local DNS server
DNS_STRICT = "0"
-sharp Enable the following option if you want to apply strict iptables rules to DNS
-sharp traffic between the server and the nameservers listed in /etc/resolv.conf
-sharp Enabling this option could cause DNS resolution issues both to and from the
-sharp server but could help prevent abuse of the local DNS server
DNS_STRICT_NS = "0"
-sharp Limit the number of IP"s kept in the /etc/csf/csf.deny file
-sharp
-sharp Care should be taken when increasing this value on servers with low memory
-sharp resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
-sharp thousands) can sometimes cause network slowdown
-sharp
-sharp The value set here is the maximum number of IPs/CIDRs allowed
-sharp if the limit is reached, the entries will be rotated so that the oldest
-sharp entries (i.e. the ones at the top) will be removed and the latest is added.
-sharp The limit is only checked when using csf -d (which is what lfd also uses)
-sharp Set to 0 to disable limiting
-sharp
-sharp For implementations wishing to set this value significantly higher, we
-sharp recommend using the IPSET option
DENY_IP_LIMIT = "200"
-sharp Limit the number of IP"s kept in the temprary IP ban list. If the limit is
-sharp reached the oldest IP"s in the ban list will be removed and allowed
-sharp regardless of the amount of time remaining for the block
-sharp Set to 0 to disable limiting
DENY_TEMP_IP_LIMIT = "100"
-sharp Enable login failure detection daemon (lfd). If set to 0 none of the
-sharp following settings will have any effect as the daemon won"t start.
LF_DAEMON = "1"
-sharp Check whether csf appears to have been stopped and restart if necessary,
-sharp unless TESTING is enabled above. The check is done every 300 seconds
LF_CSF = "1"
-sharp This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
-sharp IP6TABLES_RESTORE in two ways:
-sharp
-sharp 1. On a clean server reboot the entire csf iptables configuration is saved
-sharp and then restored where possible to provide a near instant firewall
-sharp startup[*]
-sharp
-sharp 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
-sharp BOGON, TOR are loaded using this method in a fraction of the time than if
-sharp this setting is disabled
-sharp
-sharp [*]Not supported on all OS platforms
-sharp
-sharp Set to "0" to disable this functionality
FASTSTART = "1"
-sharp This option allows you to use ipset v6+ for the following csf options:
-sharp CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
-sharp GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER
-sharp
-sharp ipset will only be used with the above options when listing IPs and CIDRs.
-sharp Advanced Allow Filters and temporary blocks use traditional iptables
-sharp
-sharp Using ipset moves the onus of ip matching against large lists away from
-sharp iptables rules and to a purpose built and optimised database matching
-sharp utility. It also simplifies the switching in of updated lists
-sharp
-sharp To use this option you must have a fully functioning installation of ipset
-sharp installed either via rpm or source from http://ipset.netfilter.org/
-sharp
-sharp Note: Using ipset has many advantages, some disadvantages are that you will
-sharp no longer see packet and byte counts against IPs and it makes identifying
-sharp blocked/allowed IPs that little bit harder
-sharp
-sharp Note: If you mainly use IP address only entries in csf.deny, you can increase
-sharp the value of DENY_IP_LIMIT significantly if you wish
-sharp
-sharp Note: It"s highly unlikely that ipset will function on Virtuozzo/OpenVZ
-sharp containers even if it has been installed
-sharp
-sharp If you find any problems, please post on forums.configserver.com with full
-sharp details of the issue
LF_IPSET = "0"
-sharp Versions of iptables greater or equal to v1.4.20 should support the --wait
-sharp option. This forces iptables commands that use the option to wait until a
-sharp lock by any other process using iptables completes, rather than simply
-sharp failing
-sharp
-sharp Enabling this feature will add the --wait option to iptables commands
-sharp
-sharp NOTE: The disadvantage of using this option is that any iptables command that
-sharp uses it will hang until the lock is released. This could cause a cascade of
-sharp hung processes trying to issue iptables commands. To try and avoid this issue
-sharp csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger
-sharp a failure if reached
WAITLOCK = "1"
WAITLOCK_TIMEOUT = "300"
-sharp The following sets the hashsize for ipset sets, which must be a power of 2.
-sharp
-sharp Note: Increasing this value will consume more memory for all sets
-sharp Default: "1024"
LF_IPSET_HASHSIZE = "1024"
-sharp The following sets the maxelem for ipset sets.
-sharp
-sharp Note: Increasing this value will consume more memory for all sets
-sharp Default: "65536"
LF_IPSET_MAXELEM = "65536"
-sharp If you enable this option then whenever a CLI request to restart csf is used
-sharp lfd will restart csf instead within LF_PARSE seconds
-sharp
-sharp This feature can be helpful for restarting configurations that cannot use
-sharp FASTSTART
LFDSTART = "0"
-sharp Enable verbose output of iptables commands
VERBOSE = "1"
-sharp Drop out of order packets and packets in an INVALID state in iptables
-sharp connection tracking
PACKET_FILTER = "1"
-sharp Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)
LF_LOOKUPS = "1"
-sharp Custom styling is possible in the csf UI. See the readme.txt for more
-sharp information under "UI skinning and Mobile View"
-sharp
-sharp This option enables the use of custom styling. If the styling fails to work
-sharp correctly, e.g. custom styling does not take into account a change in the
-sharp standard csf UI, then disabling this option will return the standard UI
STYLE_CUSTOM = "0"
-sharp This option disables the presence of the Mobile View in the csf UI
STYLE_MOBILE = "1"
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:SMTP Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Block outgoing SMTP except for root, exim and mailman (forces scripts/users
-sharp to use the exim/sendmail binary instead of sockets access). This replaces the
-sharp protection as WHM > Tweak Settings > SMTP Tweaks
-sharp
-sharp This option uses the iptables ipt_owner/xt_owner module and must be loaded
-sharp for it to work. It may not be available on some VPS platforms
-sharp
-sharp Note: Run /etc/csf/csftest.pl to check whether this option will function on
-sharp this server
SMTP_BLOCK = "0"
-sharp If SMTP_BLOCK is enabled but you want to allow local connections to port 25
-sharp on the server (e.g. for webmail or web scripts) then enable this option to
-sharp allow outgoing SMTP connections to the loopback device
SMTP_ALLOWLOCAL = "1"
-sharp This option redirects outgoing SMTP connections destined for remote servers
-sharp for non-bypass users to the local SMTP server to force local relaying of
-sharp email. Such email may require authentication (SMTP AUTH)
SMTP_REDIRECT = "0"
-sharp This is a comma separated list of the ports to block. You should list all
-sharp ports that exim is configured to listen on
SMTP_PORTS = "25,465,587"
-sharp Always allow the following comma separated users and groups to bypass
-sharp SMTP_BLOCK
-sharp
-sharp Note: root (UID:0) is always allowed
SMTP_ALLOWUSER = ""
SMTP_ALLOWGROUP = "mail,mailman"
-sharp This option will only allow SMTP AUTH to be advertised to the IP addresses
-sharp listed in /etc/csf/csf.smtpauth on EXIM mail servers
-sharp
-sharp The additional option CC_ALLOW_SMTPAUTH can be used with this option to
-sharp additionally restrict access to specific countries
-sharp
-sharp This is to help limit attempts at distributed attacks against SMTP AUTH which
-sharp are difficult to achive since port 25 needs to be open to relay email
-sharp
-sharp The reason why this works is that if EXIM does not advertise SMTP AUTH on a
-sharp connection, then SMTP AUTH will not accept logins, defeating the attacks
-sharp without restricting mail relaying
-sharp
-sharp Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
-sharp that the lookup file in /etc/exim.smtpauth is regenerated from the
-sharp information from /etc/csf/csf.smtpauth plus any countries listed in
-sharp CC_ALLOW_SMTPAUTH
-sharp
-sharp NOTE: To make this option work you MUST make the modifications to exim.conf
-sharp as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
-sharp after enabling the option here, otherwise this option will not work
-sharp
-sharp To enable this option, set to 1 and make the exim configuration changes
-sharp To disable this option, set to 0 and undo the exim configuration changes
SMTPAUTH_RESTRICT = "0"
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Port Flood Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Enable SYN Flood Protection. This option configures iptables to offer some
-sharp protection from tcp SYN packet DOS attempts. You should set the RATE so that
-sharp false-positives are kept to a minimum otherwise visitors may see connection
-sharp issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
-sharp man page for the correct --limit rate syntax
-sharp
-sharp Note: This option should ONLY be enabled if you know you are under a SYN
-sharp flood attack as it will slow down all new connections from any IP address to
-sharp the server if triggered
SYNFLOOD = "0"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
-sharp Connection Limit Protection. This option configures iptables to offer more
-sharp protection from DOS attacks against specific ports. It can also be used as a
-sharp way to simply limit resource usage by IP address to specific server services.
-sharp This option limits the number of concurrent new connections per IP address
-sharp that can be made to specific ports
-sharp
-sharp This feature does not work on servers that do not have the iptables module
-sharp xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
-sharp server admins should check with their VPS host provider that the iptables
-sharp module is included
-sharp
-sharp For further information and syntax refer to the Connection Limit Protection
-sharp section of the csf readme.txt
-sharp
-sharp Note: Run /etc/csf/csftest.pl to check whether this option will function on
-sharp this server
CONNLIMIT = ""
-sharp Port Flood Protection. This option configures iptables to offer protection
-sharp from DOS attacks against specific ports. This option limits the number of
-sharp new connections per time interval that can be made to specific ports
-sharp
-sharp This feature does not work on servers that do not have the iptables module
-sharp ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
-sharp server admins should check with their VPS host provider that the iptables
-sharp module is included
-sharp
-sharp For further information and syntax refer to the Port Flood Protection
-sharp section of the csf readme.txt
-sharp
-sharp Note: Run /etc/csf/csftest.pl to check whether this option will function on
-sharp this server
PORTFLOOD = "22;tcp;10;300,80;tcp;200;5,443;tcp;200;5"
-sharp Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
-sharp These typically originate from exploit scripts uploaded through vulnerable
-sharp web scripts. Care should be taken on servers that use services that utilise
-sharp high levels of UDP outbound traffic, such as SNMP, so you may need to alter
-sharp the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
-sharp
-sharp We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
UDPFLOOD = "0"
UDPFLOOD_LIMIT = "100/s"
UDPFLOOD_BURST = "500"
-sharp This is a list of usernames that should not be rate limited, such as "named"
-sharp to prevent bind traffic from being limited.
-sharp
-sharp Note: root (UID:0) is always allowed
UDPFLOOD_ALLOWUSER = "named"
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Logging Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
-sharp perl module Sys::Syslog installed to use this feature
SYSLOG = "0"
-sharp Drop target for incoming iptables rules. This can be set to either DROP or
-sharp REJECT. REJECT will send back an error packet, DROP will not respond at all.
-sharp REJECT is more polite, however it does provide extra information to a hacker
-sharp and lets them know that a firewall is blocking their attempts. DROP hangs
-sharp their connection, thereby frustrating attempts to port scan the server
DROP = "DROP"
-sharp Drop target for outgoing iptables rules. This can be set to either DROP or
-sharp REJECT as with DROP, however as such connections are from this server it is
-sharp better to REJECT connections to closed ports rather than to DROP them. This
-sharp helps to immediately free up server resources rather than tying them up until
-sharp a connection times out. It also tells the process making the connection that
-sharp it has immediately failed
-sharp
-sharp It is possible that some monolithic kernels may not support the REJECT
-sharp target. If this is the case, csf checks before using REJECT and falls back to
-sharp using DROP, issuing a warning to set this to DROP instead
DROP_OUT = "REJECT"
-sharp Enable logging of dropped connections to blocked ports to syslog, usually
-sharp /var/log/messages. This option needs to be enabled to use Port Scan Tracking
DROP_LOGGING = "1"
-sharp Enable logging of dropped incoming connections from blocked IP addresses
-sharp
-sharp This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
DROP_IP_LOGGING = "0"
-sharp Enable logging of dropped outgoing connections
-sharp
-sharp Note: Only outgoing SYN packets for TCP connections are logged, other
-sharp protocols log all packets
-sharp
-sharp We recommend that you enable this option
DROP_OUT_LOGGING = "1"
-sharp Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting
-sharp out (where available) which can help track abuse
DROP_UID_LOGGING = "1"
-sharp Only log incoming reserved port dropped connections (0:1023). This can reduce
-sharp the amount of log noise from dropped connections, but will affect options
-sharp such as Port Scan Tracking (PS_INTERVAL)
DROP_ONLYRES = "0"
-sharp Commonly blocked ports that you do not want logging as they tend to just fill
-sharp up the log file. These ports are specifically blocked (applied to TCP and UDP
-sharp protocols) for incoming connections
DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"
-sharp Log packets dropped by the packet filtering option PACKET_FILTER
DROP_PF_LOGGING = "0"
-sharp Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
-sharp this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
-sharp addresses breaking the Connection Limit Protection will be blocked
CONNLIMIT_LOGGING = "0"
-sharp Enable logging of UDP floods. This should be enabled, especially with User ID
-sharp Tracking enabled
UDPFLOOD_LOGGING = "1"
-sharp Send an alert if log file flooding is detected which causes lfd to skip log
-sharp lines to prevent lfd from looping. If this alert is sent you should check the
-sharp reported log file for the reason for the flooding
LOGFLOOD_ALERT = "0"
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Reporting Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp By default, lfd will send alert emails using the relevant alert template to
-sharp the To: address configured within that template. Setting the following
-sharp option will override the configured To: field in all lfd alert emails
-sharp
-sharp Leave this option empty to use the To: field setting in each alert template
LF_ALERT_TO = ""
-sharp By default, lfd will send alert emails using the relevant alert template from
-sharp the From: address configured within that template. Setting the following
-sharp option will override the configured From: field in all lfd alert emails
-sharp
-sharp Leave this option empty to use the From: field setting in each alert template
LF_ALERT_FROM = ""
-sharp By default, lfd will send all alerts using the SENDMAIL binary. To send using
-sharp SMTP directly, you can set the following to a relaying SMTP server, e.g.
-sharp "127.0.0.1". Leave this setting blank to use SENDMAIL
LF_ALERT_SMTP = ""
-sharp Block Reporting. lfd can run an external script when it performs and IP
-sharp address block following for example a login failure. The following setting
-sharp is to the full path of the external script which must be executable. See
-sharp readme.txt for format details
-sharp
-sharp Leave this setting blank to disable
BLOCK_REPORT = ""
-sharp To also run an external script when a temporary block is unblocked. The
-sharp following setting can be the full path of the external script which must be
-sharp executable. See readme.txt for format details
-sharp
-sharp Leave this setting blank to disable
UNBLOCK_REPORT = ""
-sharp In addition to the standard lfd email alerts, you can additionally enable the
-sharp sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only
-sharp block alert messages will be sent. The reports use our schema at:
-sharp https://download.configserver.com/abuse_login-attack_0.2.json
-sharp
-sharp These reports are in a format accepted by many Netblock owners and should
-sharp help them investigate abuse. This option is not designed to automatically
-sharp forward these reports to the Netblock owners and should be checked for
-sharp false-positive blocks before reporting
-sharp
-sharp If available, the report will also include the abuse contact for the IP from
-sharp the Abusix Contact DB: https://abusix.com/contactdb.html
-sharp
-sharp Note: The following block types are not reported through this feature:
-sharp LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
X_ARF = "0"
-sharp By default, lfd will send emails from the root forwarder. Setting the
-sharp following option will override this
X_ARF_FROM = ""
-sharp By default, lfd will send emails to the root forwarder. Setting the following
-sharp option will override this
X_ARF_TO = ""
-sharp If you want to automatically send reports to the abuse contact where found,
-sharp you can enable the following option
-sharp
-sharp Note: You MUST set X_ARF_FROM to a valid email address for this option to
-sharp work. This is so that the abuse contact can reply to the report
-sharp
-sharp However, you should be aware that without manual checking you could be
-sharp reporting innocent IP addresses, including your own clients, yourself and
-sharp your own servers
-sharp
-sharp Additionally, just because a contact address is found, does not mean that
-sharp there is anyone on the end of it reading, processing or acting on such
-sharp reports and you could conceivably reported for sending spam
-sharp
-sharp We do not recommend enabling this option. Abuse reports should be checked and
-sharp verified before being forwarded to the abuse contact
X_ARF_ABUSE = "0"
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Temp to Perm/Netblock Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Temporary to Permanent IP blocking. The following enables this feature to
-sharp permanently block IP addresses that have been temporarily blocked more than
-sharp LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
-sharp LF_PERMBLOCK to "1" to enable this feature
-sharp
-sharp Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
-sharp at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
-sharp (TTL) for blocked IPs, to be effective
-sharp
-sharp Set LF_PERMBLOCK to "0" to disable this feature
LF_PERMBLOCK = "1"
LF_PERMBLOCK_INTERVAL = "86400"
LF_PERMBLOCK_COUNT = "4"
LF_PERMBLOCK_ALERT = "1"
-sharp Permanently block IPs by network class. The following enables this feature
-sharp to permanently block classes of IP address where individual IP addresses
-sharp within the same class LF_NETBLOCK_CLASS have already been blocked more than
-sharp LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
-sharp LF_NETBLOCK to "1" to enable this feature
-sharp
-sharp This can be an affective way of blocking DDOS attacks launched from within
-sharp the same network class
-sharp
-sharp Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
-sharp consideration is required when blocking network classes A or B
-sharp
-sharp Set LF_NETBLOCK to "0" to disable this feature
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
LF_NETBLOCK_ALERT = "1"
-sharp Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24"
-sharp Great care should be taken with IPV6 netblock ranges due to the large number
-sharp of addresses involved
-sharp
-sharp To disable IPv6 netblocks set to ""
LF_NETBLOCK_IPV6 = ""
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Global Lists/DYNDNS/Blocklists
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
-sharp SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
-sharp chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
-sharp chain, then flush and delete the old dynamic chain and rename the new chain.
-sharp
-sharp This prevents a small window of opportunity opening when an update occurs and
-sharp the dynamic chain is flushed for the new rules.
-sharp
-sharp This option should not be enabled on servers with long dynamic chains (e.g.
-sharp CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
-sharp Virtuozzo VPS servers with a restricted numiptent value. This is because each
-sharp chain will effectively be duplicated while the update occurs, doubling the
-sharp number of iptables rules
SAFECHAINUPDATE = "0"
-sharp If you wish to allow access from dynamic DNS records (for example if your IP
-sharp address changes whenever you connect to the internet but you have a dedicated
-sharp dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
-sharp records in csf.dyndns and then set the following to the number of seconds to
-sharp poll for a change in the IP address. If the IP address has changed iptables
-sharp will be updated.
-sharp
-sharp If the FQDN has multiple A records then all of the IP addresses will be
-sharp processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
-sharp also be allowed.
-sharp
-sharp A setting of 600 would check for IP updates every 10 minutes. Set the value
-sharp to 0 to disable the feature
DYNDNS = "0"
-sharp To always ignore DYNDNS IP addresses in lfd blocking, set the following
-sharp option to 1
DYNDNS_IGNORE = "0"
-sharp The follow Global options allow you to specify a URL where csf can grab a
-sharp centralised copy of an IP allow or deny block list of your own. You need to
-sharp specify the full URL in the following options, i.e.:
-sharp http://www.somelocation.com/allow.txt
-sharp
-sharp The actual retrieval of these IP"s is controlled by lfd, so you need to set
-sharp LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
-sharp will perform the retrieval when it runs and then again at the specified
-sharp interval. A sensible interval would probably be every 3600 seconds (1 hour).
-sharp A minimum value of 300 is enforced for LF_GLOBAL if enabled
-sharp
-sharp You do not have to specify both an allow and a deny file
-sharp
-sharp You can also configure a global ignore file for IP"s that lfd should ignore
LF_GLOBAL = "0"
GLOBAL_ALLOW = ""
GLOBAL_DENY = ""
GLOBAL_IGNORE = ""
-sharp Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
-sharp this to the URL of the file containing DYNDNS entries
GLOBAL_DYNDNS = ""
-sharp Set the following to the number of seconds to poll for a change in the IP
-sharp address resoved from GLOBAL_DYNDNS
GLOBAL_DYNDNS_INTERVAL = "600"
-sharp To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
-sharp option to 1
GLOBAL_DYNDNS_IGNORE = "0"
-sharp Blocklists are controlled by modifying /etc/csf/csf.blocklists
-sharp
-sharp If you don"t want BOGON rules applied to specific NICs, then list them in
-sharp a comma separated list (e.g "eth1,eth2")
LF_BOGON_SKIP = ""
-sharp The following option can be used to select either HTTP::Tiny or
-sharp LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than
-sharp LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may
-sharp have to be installed manually, but it can better support https:// URL"s
-sharp which also needs the LWP::Protocol::https perl module
-sharp
-sharp For example:
-sharp
-sharp On rpm based systems:
-sharp
-sharp yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
-sharp
-sharp On APT based systems:
-sharp
-sharp apt-get install libwww-perl liblwp-protocol-https-perl
-sharp
-sharp Via cpan:
-sharp
-sharp perl -MCPAN -eshell
-sharp cpan> install LWP LWP::Protocol::https
-sharp
-sharp We recommend setting this set to "2" as upgrades to csf will be performed
-sharp over SSL to https://download.configserver.com
-sharp
-sharp "1" = HTTP::Tiny
-sharp "2" = LWP::UserAgent
URLGET = "2"
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Country Code Lists and Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Country Code to CIDR allow/deny. In the following two options you can allow
-sharp or deny whole country CIDR ranges. The CIDR blocks are generated from the
-sharp MaxMind GeoLite2 Country database at:
-sharp https://dev.MaxMind.com/geoip/geoip2/geolite2/
-sharp This feature relies entirely on that service being available
-sharp
-sharp Specify the the two-letter ISO Country Code(s). The iptables rules are for
-sharp incoming connections only
-sharp
-sharp Additionally, ASN numbers can also be added to the comma separated lists
-sharp below that also list Country Codes. The same WARNINGS for Country Codes apply
-sharp to the use of ASNs. More about Autonomous System Numbers (ASN):
-sharp http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
-sharp
-sharp You should consider using LF_IPSET when using any of the following options
-sharp
-sharp WARNING: These lists are never 100% accurate and some ISP"s (e.g. AOL) use
-sharp non-geographic IP address designations for their clients
-sharp
-sharp WARNING: Some of the CIDR lists are huge and each one requires a rule within
-sharp the incoming iptables chain. This can result in significant performance
-sharp overheads and could render the server inaccessible in some circumstances. For
-sharp this reason (amongst others) we do not recommend using these options
-sharp
-sharp WARNING: Due to the resource constraints on VPS servers this feature should
-sharp not be used on such systems unless you choose very small CC zones
-sharp
-sharp WARNING: CC_ALLOW allows access through all ports in the firewall. For this
-sharp reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
-sharp preferred
-sharp
-sharp Each option is a comma separated list of CC"s, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""
-sharp An alternative to CC_ALLOW is to only allow access from the following
-sharp countries but still filter based on the port and packets rules. All other
-sharp connections are dropped
CC_ALLOW_FILTER = ""
-sharp This option allows access from the following countries to specific ports
-sharp listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
-sharp
-sharp Note: The rules for this feature are inserted after the allow and deny
-sharp rules to still allow blocking of IP addresses
-sharp
-sharp Each option is a comma separated list of CC"s, e.g. "US,GB,DE"
CC_ALLOW_PORTS = ""
-sharp All listed ports should be removed from TCP_IN/UDP_IN to block access from
-sharp elsewhere. This option uses the same format as TCP_IN/UDP_IN
-sharp
-sharp An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
-sharp then only counties listed in CC_ALLOW_PORTS can access FTP
CC_ALLOW_PORTS_TCP = ""
CC_ALLOW_PORTS_UDP = ""
-sharp This option denies access from the following countries to specific ports
-sharp listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
-sharp
-sharp Note: The rules for this feature are inserted after the allow and deny
-sharp rules to still allow allowing of IP addresses
-sharp
-sharp Each option is a comma separated list of CC"s, e.g. "US,GB,DE"
CC_DENY_PORTS = ""
-sharp This option uses the same format as TCP_IN/UDP_IN. The ports listed should
-sharp NOT be removed from TCP_IN/UDP_IN
-sharp
-sharp An example would be to list port 21 here then counties listed in
-sharp CC_DENY_PORTS cannot access FTP
CC_DENY_PORTS_TCP = ""
CC_DENY_PORTS_UDP = ""
-sharp This Country Code list will prevent lfd from blocking IP address hits for the
-sharp listed CC"s
-sharp
-sharp CC_LOOKUPS must be enabled to use this option
CC_IGNORE = ""
-sharp This Country Code list will only allow SMTP AUTH to be advertised to the
-sharp listed countries in EXIM. This is to help limit attempts at distributed
-sharp attacks against SMTP AUTH which are difficult to achive since port 25 needs
-sharp to be open to relay email
-sharp
-sharp The reason why this works is that if EXIM does not advertise SMTP AUTH on a
-sharp connection, then SMTP AUTH will not accept logins, defeating the attacks
-sharp without restricting mail relaying
-sharp
-sharp This option can generate a very large list of IP addresses that could easily
-sharp severely impact on SMTP (mail) performance, so care must be taken when
-sharp selecting countries and if performance issues ensue
-sharp
-sharp The option SMTPAUTH_RESTRICT must be enabled to use this option
CC_ALLOW_SMTPAUTH = ""
-sharp Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
-sharp than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
-sharp help reduce the number of CC entries and may improve iptables throughput.
-sharp Obviously, this will deny/allow fewer IP addresses depending on how small you
-sharp configure the option
-sharp
-sharp For example, to ignore all CIDR (and single IP) entries small than a /16, set
-sharp this option to "16". Set to "" to block all CC IP addresses
CC_DROP_CIDR = ""
-sharp Display Country Code and Country for reported IP addresses. This option can
-sharp be configured to use the MaxMind Country Database or the more detailed (and
-sharp much larger and therefore slower) MaxMind City Database. An additional option
-sharp is also available if you cannot use the MaxMind databases
-sharp
-sharp "0" - disable
-sharp "1" - Reports: Country Code and Country
-sharp "2" - Reports: Country Code and Country and Region and City
-sharp "3" - Reports: Country Code and Country and Region and City and ASN
-sharp "4" - Reports: Country Code and Country and Region and City (freegeoip.net)
-sharp
-sharp Note: "4" does not use the MaxMind databases directly for lookups. Instead it
-sharp uses a URL-based lookup from a third-party provider at https://freegeoip.net
-sharp and so avoids having to download and process the large databases. Please
-sharp visit the https://freegeoip.net and read their limitations and respect that
-sharp this option will either cease to function or be removed by us if that site is
-sharp abused or overloaded. ONLY use this option if you have difficulties using the
-sharp MaxMind databases. This option is ONLY for IP lookups, NOT when using the
-sharp CC_* options above, which will continue to use the MaxMind databases
-sharp
CC_LOOKUPS = "1"
-sharp Display Country Code and Country for reported IPv6 addresses using the
-sharp MaxMind Country IPv6 Database
-sharp
-sharp "0" - disable
-sharp "1" - enable and report the detail level as specified in CC_LOOKUPS
-sharp
-sharp This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and
-sharp PORTFLOOD
CC6_LOOKUPS = "0"
-sharp This option tells lfd how often to retrieve the MaxMind GeoLite2 Country
-sharp database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
-sharp days)
CC_INTERVAL = "14"
nginx.conf is configured as follows
-sharpuser nobody;
worker_processes 1;
-sharperror_log logs/error.log;
-sharperror_log logs/error.log notice;
-sharperror_log logs/error.log info;
-sharppid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
-sharplog_format main "$remote_addr - $remote_user [$time_local] "$request" "
-sharp "$status $body_bytes_sent "$http_referer" "
-sharp ""$http_user_agent" "$http_x_forwarded_for"";
-sharpaccess_log logs/access.log main;
sendfile on;
-sharptcp_nopush on;
-sharpkeepalive_timeout 0;
keepalive_timeout 65;
client_max_body_size 8m; -sharp
client_body_buffer_size 2m; -sharp
gzip on;
-sharpWAF
lua_shared_dict limit 50m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
server {
listen 127.0.0.1;
server_name mywebsiteip.com;
-sharpcharset koi8-r;
-sharpaccess_log logs/host.access.log main;
location / {
root html;
index index.php index.html index.htm;
}
-sharperror_page 404 /404.html;
-sharp redirect server error pages to the static page /50x.html
-sharp
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
-sharp proxy the PHP scripts to Apache listening on 127.0.0.1:80
-sharp
-sharplocation ~ \.php$ {
-sharp proxy_pass http://127.0.0.1;
-sharp}
-sharp pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
-sharp
location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
-sharp deny access to .htaccess files, if Apache"s document root
-sharp concurs with nginx"s one
-sharp
-sharplocation ~ /\.ht {
-sharp deny all;
-sharp}
}
-sharp another virtual host using mix of IP-, name-, and port-based configuration
-sharp
-sharpserver {
-sharp listen 8000;
-sharp listen somename:8080;
-sharp server_name somename alias another.alias;
-sharp location / {
-sharp root html;
-sharp index index.html index.htm;
-sharp }
-sharp}
-sharp HTTPS server
-sharp
-sharpserver {
-sharp listen 443 ssl;
-sharp server_name localhost;
-sharp ssl_certificate cert.pem;
-sharp ssl_certificate_key cert.key;
-sharp ssl_session_cache shared:SSL:1m;
-sharp ssl_session_timeout 5m;
-sharp ssl_ciphers HIGH:!aNULL:!MD5;
-sharp ssl_prefer_server_ciphers on;
-sharp location / {
-sharp root html;
-sharp index index.html index.htm;
-sharp }
-sharp}
}