When I configure the csf firewall and refresh the site's fixed url a few times, there will be 403 forbidden, that can be accessed again after a while. Over and over again.

I would like to ask my friends, is there any configuration error in their csf firewall?

selinux and firewalld, have their own csf configurations turned off as follows:

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Initial Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Testing flag - enables a CRON job that clears iptables incase of
-sharp configuration problems when you start csf. This should be enabled until you
-sharp are sure that the firewall works - i.e. incase you get locked out of your
-sharp server! Then do remember to set it to 0 and restart csf when you"re sure
-sharp everything is OK. Stopping csf will remove the line from /etc/crontab
-sharp
-sharp lfd will not start while this is enabled
TESTING = "0"

-sharp The interval for the crontab in minutes. Since this uses the system clock the
-sharp CRON job will run at the interval past the hour and not from when you issue
-sharp the start command. Therefore an interval of 5 minutes means the firewall
-sharp will be cleared in 0-5 minutes from the firewall start
TESTING_INTERVAL = "5"

-sharp SECURITY WARNING
-sharp ================
-sharp
-sharp Unfortunately, syslog and rsyslog allow end-users to log messages to some
-sharp system logs via the same unix socket that other local services use. This 
-sharp means that any log line shown in these system logs that syslog or rsyslog
-sharp maintain can be spoofed (they are exactly the same as real log lines).
-sharp
-sharp Since some of the features of lfd rely on such log lines, spoofed messages
-sharp can cause false-positive matches which can lead to confusion at best, or
-sharp blocking of any innocent IP address or making the server inaccessible at
-sharp worst.
-sharp
-sharp Any option that relies on the log entries in the files listed in
-sharp /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
-sharp vulnerable to exploitation by end-users and scripts run by end-users.
-sharp
-sharp NOTE: Not all log files are affected as they may not use syslog/rsyslog
-sharp
-sharp The option RESTRICT_SYSLOG disables all these features that rely on affected
-sharp logs. These options are:
-sharp LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
-sharp LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
-sharp LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
-sharp PORTKNOCKING_ALERT
-sharp
-sharp This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
-sharp ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
-sharp
-sharp The following options are still enabled by default on new installations so
-sharp that, on balance, csf/lfd still provides expected levels of security:
-sharp LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
-sharp
-sharp If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
-sharp above, it should be done with the knowledge that any of the those options
-sharp that are enabled could be triggered by spoofed log lines and lead to the
-sharp server being inaccessible in the worst case. If you do not want to take that
-sharp risk you should set RESTRICT_SYSLOG to "1" and those features will not work
-sharp but you will not be protected from the exploits that they normally help block
-sharp
-sharp The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access
-sharp the syslog/rsyslog unix socket.
-sharp
-sharp For further advice on how to help mitigate these issues, see
-sharp /etc/csf/readme.txt
-sharp
-sharp 0 = Allow those options listed above to be used and configured
-sharp 1 = Disable all the options listed above and prevent them from being used
-sharp 2 = Disable only alerts about this feature and do nothing else
-sharp 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
RESTRICT_SYSLOG = "0"

-sharp The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
-sharp write access to the syslog/rsyslog unix socket(s). The group must not already
-sharp exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
-sharp to a unique name for the server
-sharp
-sharp You can add users to this group by changing /etc/csf/csf.syslogusers and then
-sharp restarting lfd afterwards. This will create the system group and add the
-sharp users from csf.syslogusers if they exist to that group and will change the
-sharp permissions on the syslog/rsyslog unix socket(s). The socket(s) will be
-sharp monitored and the permissions re-applied should syslog/rsyslog be restarted
-sharp
-sharp Using this option will prevent some legitimate logging, e.g. end-user cron
-sharp job logs
-sharp
-sharp If you want to revert RESTRICT_SYSLOG to another option and disable this
-sharp feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then
-sharp syslog/rsyslog and the unix sockets will be reset
RESTRICT_SYSLOG_GROUP = "mysyslog"

-sharp This options restricts the ability to modify settings within this file from
-sharp the csf UI. Should the parent control panel be compromised, these restricted
-sharp options could be used to further compromise the server. For this reason we
-sharp recommend leaving this option set to at least "1" and if any of the
-sharp restricted items need to be changed, they are done so from the root shell
-sharp
-sharp 0 = Unrestricted UI
-sharp 1 = Restricted UI
-sharp 2 = Disabled UI
RESTRICT_UI = "1"

-sharp Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
-sharp runs once per day to see if there is an update to csf+lfd and upgrades if
-sharp available and restarts csf and lfd
-sharp
-sharp You should check for new version announcements at http://blog.configserver.com
AUTO_UPDATES = "1"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:IPv4 Port Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Lists of ports in the following comma separated lists can be added using a
-sharp colon (e.g. 30000:35000).

-sharp Some kernel/iptables setups do not perform stateful connection tracking
-sharp correctly (typically some virtual servers or custom compiled kernels), so a
-sharp SPI firewall will not function correctly. If this happens, LF_SPI can be set
-sharp to 0 to reconfigure csf as a static firewall.
-sharp
-sharp As connection tracking will not be configured, applications that rely on it
-sharp will not function unless all outgoing ports are opened. Therefore, all
-sharp outgoing connections will be allowed once all other tests have completed. So
-sharp TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
-sharp
-sharp If you allow incoming DNS lookups you may need to use the following
-sharp directive in the options{} section of your named.conf:
-sharp
-sharp        query-source port 53;
-sharp
-sharp This will force incoming DNS traffic only through port 53
-sharp
-sharp Disabling this option will break firewall functionality that relies on
-sharp stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall
-sharp less secure
-sharp
-sharp This option should be set to "1" in all other circumstances
LF_SPI = "1"

-sharp Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,3306"

-sharp Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,3306"

-sharp Allow incoming UDP ports
UDP_IN = "20,21,53"

-sharp Allow outgoing UDP ports
-sharp To allow outgoing traceroute add 33434:33523 to this list 
UDP_OUT = "20,21,53,113,123"

-sharp Allow incoming PING. Disabling PING will likely break external uptime
-sharp monitoring
ICMP_IN = "1"

-sharp Set the per IP address incoming ICMP packet rate for PING requests. This
-sharp ratelimits PING requests which if exceeded results in silently rejected
-sharp packets. Disable or increase this value if you are seeing PING drops that you
-sharp do not want
-sharp
-sharp To disable rate limiting set to "0", otherwise set according to the iptables
-sharp documentation for the limit module. For example, "1/s" will limit to one
-sharp packet per second
ICMP_IN_RATE = "1/s"

-sharp Allow outgoing PING
-sharp
-sharp Unless there is a specific reason, this option should NOT be disabled as it
-sharp could break OS functionality
ICMP_OUT = "1"

-sharp Set the per IP address outgoing ICMP packet rate for PING requests. This
-sharp ratelimits PING requests which if exceeded results in silently rejected
-sharp packets. Disable or increase this value if you are seeing PING drops that you
-sharp do not want
-sharp
-sharp Unless there is a specific reason, this option should NOT be enabled as it
-sharp could break OS functionality
-sharp
-sharp To disable rate limiting set to "0", otherwise set according to the iptables
-sharp documentation for the limit module. For example, "1/s" will limit to one
-sharp packet per second
ICMP_OUT_RATE = "0"

-sharp For those with PCI Compliance tools that state that ICMP timestamps (type 13)
-sharp should be dropped, you can enable the following option. Otherwise, there
-sharp appears to be little evidence that it has anything to do with a security risk
-sharp and can impact network performance, so should be left disabled by everyone
-sharp else
ICMP_TIMESTAMPDROP = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:IPv6 Port Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp IPv6: (Requires ip6tables)
-sharp
-sharp Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
-sharp firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
-sharp
-sharp Supported:
-sharp Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
-sharp PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, 
-sharp SYNFLOOD, LF_NETBLOCK
-sharp
-sharp Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled
-sharp CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,
-sharp CC_ALLOW_SMTPAUTH
-sharp
-sharp Supported if ip6tables >= 1.4.3:
-sharp PORTFLOOD, CONNLIMIT
-sharp
-sharp Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is
-sharp installed:
-sharp MESSENGER DOCKER SMTP_REDIRECT
-sharp
-sharp Not supported:
-sharp ICMP_IN, ICMP_OUT
-sharp
IPV6 = "1"

-sharp IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
-sharp traffic in the INPUT and OUTPUT chains. However, this could increase the risk
-sharp of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
-sharp connection types
IPV6_ICMP_STRICT = "0"

-sharp Pre v2.6.20 kernel must set this option to "0" as no working state module is
-sharp present, so a static firewall is configured as a fallback
-sharp
-sharp A workaround has been added for CentOS/RedHat v5 and custom kernels that do
-sharp not support IPv6 connection tracking by opening ephemeral port range
-sharp 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
-sharp same workaround implemented by RedHat in the sample default IPv6 rules
-sharp
-sharp As connection tracking will not be configured, applications that rely on it
-sharp will not function unless all outgoing ports are opened. Therefore, all
-sharp outgoing connections will be allowed once all other tests have completed. So
-sharp TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.
-sharp
-sharp If you allow incoming ipv6 DNS lookups you may need to use the following
-sharp directive in the options{} section of your named.conf:
-sharp
-sharp        query-source-v6 port 53;
-sharp
-sharp This will force ipv6 incoming DNS traffic only through port 53
-sharp
-sharp These changes are not necessary if the SPI firewall is used
IPV6_SPI = "1"

-sharp Allow incoming IPv6 TCP ports
TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,3306"

-sharp Allow outgoing IPv6 TCP ports
TCP6_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,3306"

-sharp Allow incoming IPv6 UDP ports
UDP6_IN = "20,21,53"

-sharp Allow outgoing IPv6 UDP ports
-sharp To allow outgoing traceroute add 33434:33523 to this list 
UDP6_OUT = "20,21,53,113,123"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:General Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp By default, csf will auto-configure iptables to filter all traffic except on
-sharp the loopback device. If you only want iptables rules applied to a specific
-sharp NIC, then list it here (e.g. eth1, or eth+)
ETH_DEVICE = ""

-sharp By adding a device to this option, ip6tables can be configured only on the
-sharp specified device. Otherwise, ETH_DEVICE and then the default setting will be
-sharp used
ETH6_DEVICE = ""

-sharp If you don"t want iptables rules applied to specific NICs, then list them in
-sharp a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP = ""

-sharp This option should be enabled unless the kernel does not support the
-sharp "conntrack" module
-sharp
-sharp To use the deprecated iptables "state" module, change this to 0
USE_CONNTRACK = "1"

-sharp Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)
-sharp instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper
-sharp This will also remove the RELATED target from the global state iptables rule
-sharp
-sharp This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or
-sharp the raw tables do not exist. The USE_CONNTRACK option should be enabled
-sharp
-sharp To enable this option, set it to your FTP server listening port number
-sharp (normally 21), do NOT set it to "1"
USE_FTPHELPER = "0"

-sharp Check whether syslog is running. Many of the lfd checks require syslog to be
-sharp running correctly. This test will send a coded message to syslog every
-sharp SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded
-sharp message. If it fails to do so within SYSLOG_CHECK seconds an alert using
-sharp syslogalert.txt is sent
-sharp
-sharp A value of between 300 and 3600 seconds is suggested. Set to 0 to disable
SYSLOG_CHECK = "0"

-sharp Enable this option if you want lfd to ignore (i.e. don"t block) IP addresses
-sharp listed in csf.allow in addition to csf.ignore (the default). This option
-sharp should be used with caution as it would mean that IP"s allowed through the
-sharp firewall from infected PC"s could launch attacks on the server that lfd
-sharp would ignore
IGNORE_ALLOW = "1"

-sharp Enable the following option if you want to apply strict iptables rules to DNS
-sharp traffic (i.e. relying on iptables connection tracking). Enabling this option
-sharp could cause DNS resolution issues both to and from the server but could help
-sharp prevent abuse of the local DNS server
DNS_STRICT = "0"

-sharp Enable the following option if you want to apply strict iptables rules to DNS
-sharp traffic between the server and the nameservers listed in /etc/resolv.conf
-sharp Enabling this option could cause DNS resolution issues both to and from the
-sharp server but could help prevent abuse of the local DNS server
DNS_STRICT_NS = "0"

-sharp Limit the number of IP"s kept in the /etc/csf/csf.deny file
-sharp
-sharp Care should be taken when increasing this value on servers with low memory
-sharp resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
-sharp thousands) can sometimes cause network slowdown
-sharp
-sharp The value set here is the maximum number of IPs/CIDRs allowed
-sharp if the limit is reached, the entries will be rotated so that the oldest
-sharp entries (i.e. the ones at the top) will be removed and the latest is added.
-sharp The limit is only checked when using csf -d (which is what lfd also uses)
-sharp Set to 0 to disable limiting
-sharp
-sharp For implementations wishing to set this value significantly higher, we
-sharp recommend using the IPSET option
DENY_IP_LIMIT = "200"

-sharp Limit the number of IP"s kept in the temprary IP ban list. If the limit is
-sharp reached the oldest IP"s in the ban list will be removed and allowed
-sharp regardless of the amount of time remaining for the block
-sharp Set to 0 to disable limiting
DENY_TEMP_IP_LIMIT = "100"

-sharp Enable login failure detection daemon (lfd). If set to 0 none of the
-sharp following settings will have any effect as the daemon won"t start.
LF_DAEMON = "1"

-sharp Check whether csf appears to have been stopped and restart if necessary,
-sharp unless TESTING is enabled above. The check is done every 300 seconds
LF_CSF = "1"

-sharp This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
-sharp IP6TABLES_RESTORE in two ways:
-sharp
-sharp 1. On a clean server reboot the entire csf iptables configuration is saved
-sharp    and then restored where possible to provide a near instant firewall
-sharp    startup[*]
-sharp
-sharp 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
-sharp    BOGON, TOR are loaded using this method in a fraction of the time than if
-sharp    this setting is disabled
-sharp
-sharp [*]Not supported on all OS platforms
-sharp
-sharp Set to "0" to disable this functionality
FASTSTART = "1"

-sharp This option allows you to use ipset v6+ for the following csf options:
-sharp CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
-sharp GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER
-sharp
-sharp ipset will only be used with the above options when listing IPs and CIDRs.
-sharp Advanced Allow Filters and temporary blocks use traditional iptables
-sharp
-sharp Using ipset moves the onus of ip matching against large lists away from
-sharp iptables rules and to a purpose built and optimised database matching
-sharp utility. It also simplifies the switching in of updated lists
-sharp
-sharp To use this option you must have a fully functioning installation of ipset
-sharp installed either via rpm or source from http://ipset.netfilter.org/
-sharp 
-sharp Note: Using ipset has many advantages, some disadvantages are that you will
-sharp no longer see packet and byte counts against IPs and it makes identifying
-sharp blocked/allowed IPs that little bit harder
-sharp
-sharp Note: If you mainly use IP address only entries in csf.deny, you can increase
-sharp the value of DENY_IP_LIMIT significantly if you wish
-sharp 
-sharp Note: It"s highly unlikely that ipset will function on Virtuozzo/OpenVZ
-sharp containers even if it has been installed
-sharp
-sharp If you find any problems, please post on forums.configserver.com with full
-sharp details of the issue
LF_IPSET = "0"

-sharp Versions of iptables greater or equal to v1.4.20 should support the --wait
-sharp option. This forces iptables commands that use the option to wait until a
-sharp lock by any other process using iptables completes, rather than simply
-sharp failing
-sharp
-sharp Enabling this feature will add the --wait option to iptables commands
-sharp
-sharp NOTE: The disadvantage of using this option is that any iptables command that
-sharp uses it will hang until the lock is released. This could cause a cascade of
-sharp hung processes trying to issue iptables commands. To try and avoid this issue
-sharp csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger
-sharp a failure if reached
WAITLOCK = "1"
WAITLOCK_TIMEOUT = "300"

-sharp The following sets the hashsize for ipset sets, which must be a power of 2.
-sharp
-sharp Note: Increasing this value will consume more memory for all sets
-sharp Default: "1024"
LF_IPSET_HASHSIZE = "1024"

-sharp The following sets the maxelem for ipset sets.
-sharp
-sharp Note: Increasing this value will consume more memory for all sets
-sharp Default: "65536"
LF_IPSET_MAXELEM = "65536"

-sharp If you enable this option then whenever a CLI request to restart csf is used
-sharp lfd will restart csf instead within LF_PARSE seconds
-sharp
-sharp This feature can be helpful for restarting configurations that cannot use
-sharp FASTSTART
LFDSTART = "0"

-sharp Enable verbose output of iptables commands
VERBOSE = "1"

-sharp Drop out of order packets and packets in an INVALID state in iptables
-sharp connection tracking
PACKET_FILTER = "1"

-sharp Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)
LF_LOOKUPS = "1"

-sharp Custom styling is possible in the csf UI. See the readme.txt for more
-sharp information under "UI skinning and Mobile View"
-sharp
-sharp This option enables the use of custom styling. If the styling fails to work
-sharp correctly, e.g. custom styling does not take into account a change in the
-sharp standard csf UI, then disabling this option will return the standard UI
STYLE_CUSTOM = "0"

-sharp This option disables the presence of the Mobile View in the csf UI
STYLE_MOBILE = "1"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:SMTP Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Block outgoing SMTP except for root, exim and mailman (forces scripts/users
-sharp to use the exim/sendmail binary instead of sockets access). This replaces the
-sharp protection as WHM > Tweak Settings > SMTP Tweaks
-sharp
-sharp This option uses the iptables ipt_owner/xt_owner module and must be loaded
-sharp for it to work. It may not be available on some VPS platforms
-sharp
-sharp Note: Run /etc/csf/csftest.pl to check whether this option will function on
-sharp this server
SMTP_BLOCK = "0"

-sharp If SMTP_BLOCK is enabled but you want to allow local connections to port 25
-sharp on the server (e.g. for webmail or web scripts) then enable this option to
-sharp allow outgoing SMTP connections to the loopback device
SMTP_ALLOWLOCAL = "1"

-sharp This option redirects outgoing SMTP connections destined for remote servers
-sharp for non-bypass users to the local SMTP server to force local relaying of
-sharp email. Such email may require authentication (SMTP AUTH)
SMTP_REDIRECT = "0"

-sharp This is a comma separated list of the ports to block. You should list all
-sharp ports that exim is configured to listen on
SMTP_PORTS = "25,465,587"

-sharp Always allow the following comma separated users and groups to bypass
-sharp SMTP_BLOCK
-sharp
-sharp Note: root (UID:0) is always allowed
SMTP_ALLOWUSER = ""
SMTP_ALLOWGROUP = "mail,mailman"

-sharp This option will only allow SMTP AUTH to be advertised to the IP addresses
-sharp listed in /etc/csf/csf.smtpauth on EXIM mail servers
-sharp
-sharp The additional option CC_ALLOW_SMTPAUTH can be used with this option to
-sharp additionally restrict access to specific countries
-sharp
-sharp This is to help limit attempts at distributed attacks against SMTP AUTH which
-sharp are difficult to achive since port 25 needs to be open to relay email
-sharp
-sharp The reason why this works is that if EXIM does not advertise SMTP AUTH on a
-sharp connection, then SMTP AUTH will not accept logins, defeating the attacks
-sharp without restricting mail relaying
-sharp
-sharp Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
-sharp that the lookup file in /etc/exim.smtpauth is regenerated from the
-sharp information from /etc/csf/csf.smtpauth plus any countries listed in
-sharp CC_ALLOW_SMTPAUTH
-sharp
-sharp NOTE: To make this option work you MUST make the modifications to exim.conf
-sharp as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
-sharp after enabling the option here, otherwise this option will not work
-sharp
-sharp To enable this option, set to 1 and make the exim configuration changes
-sharp To disable this option, set to 0 and undo the exim configuration changes
SMTPAUTH_RESTRICT = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Port Flood Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Enable SYN Flood Protection. This option configures iptables to offer some
-sharp protection from tcp SYN packet DOS attempts. You should set the RATE so that
-sharp false-positives are kept to a minimum otherwise visitors may see connection
-sharp issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
-sharp man page for the correct --limit rate syntax
-sharp
-sharp Note: This option should ONLY be enabled if you know you are under a SYN
-sharp flood attack as it will slow down all new connections from any IP address to
-sharp the server if triggered
SYNFLOOD = "0"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"

-sharp Connection Limit Protection. This option configures iptables to offer more
-sharp protection from DOS attacks against specific ports. It can also be used as a
-sharp way to simply limit resource usage by IP address to specific server services.
-sharp This option limits the number of concurrent new connections per IP address
-sharp that can be made to specific ports
-sharp
-sharp This feature does not work on servers that do not have the iptables module
-sharp xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
-sharp server admins should check with their VPS host provider that the iptables
-sharp module is included
-sharp
-sharp For further information and syntax refer to the Connection Limit Protection
-sharp section of the csf readme.txt
-sharp
-sharp Note: Run /etc/csf/csftest.pl to check whether this option will function on
-sharp this server
CONNLIMIT = ""

-sharp Port Flood Protection. This option configures iptables to offer protection
-sharp from DOS attacks against specific ports. This option limits the number of
-sharp new connections per time interval that can be made to specific ports
-sharp
-sharp This feature does not work on servers that do not have the iptables module
-sharp ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
-sharp server admins should check with their VPS host provider that the iptables
-sharp module is included
-sharp
-sharp For further information and syntax refer to the Port Flood Protection
-sharp section of the csf readme.txt
-sharp
-sharp Note: Run /etc/csf/csftest.pl to check whether this option will function on
-sharp this server
PORTFLOOD = "22;tcp;10;300,80;tcp;200;5,443;tcp;200;5"

-sharp Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
-sharp These typically originate from exploit scripts uploaded through vulnerable
-sharp web scripts. Care should be taken on servers that use services that utilise
-sharp high levels of UDP outbound traffic, such as SNMP, so you may need to alter
-sharp the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
-sharp
-sharp We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
UDPFLOOD = "0"
UDPFLOOD_LIMIT = "100/s"
UDPFLOOD_BURST = "500"

-sharp This is a list of usernames that should not be rate limited, such as "named"
-sharp to prevent bind traffic from being limited.
-sharp
-sharp Note: root (UID:0) is always allowed
UDPFLOOD_ALLOWUSER = "named"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Logging Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
-sharp perl module Sys::Syslog installed to use this feature
SYSLOG = "0"

-sharp Drop target for incoming iptables rules. This can be set to either DROP or
-sharp REJECT. REJECT will send back an error packet, DROP will not respond at all.
-sharp REJECT is more polite, however it does provide extra information to a hacker
-sharp and lets them know that a firewall is blocking their attempts. DROP hangs
-sharp their connection, thereby frustrating attempts to port scan the server
DROP = "DROP"

-sharp Drop target for outgoing iptables rules. This can be set to either DROP or
-sharp REJECT as with DROP, however as such connections are from this server it is
-sharp better to REJECT connections to closed ports rather than to DROP them. This
-sharp helps to immediately free up server resources rather than tying them up until
-sharp a connection times out. It also tells the process making the connection that
-sharp it has immediately failed
-sharp
-sharp It is possible that some monolithic kernels may not support the REJECT
-sharp target. If this is the case, csf checks before using REJECT and falls back to
-sharp using DROP, issuing a warning to set this to DROP instead
DROP_OUT = "REJECT"

-sharp Enable logging of dropped connections to blocked ports to syslog, usually
-sharp /var/log/messages. This option needs to be enabled to use Port Scan Tracking
DROP_LOGGING = "1"

-sharp Enable logging of dropped incoming connections from blocked IP addresses
-sharp
-sharp This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
DROP_IP_LOGGING = "0"

-sharp Enable logging of dropped outgoing connections
-sharp
-sharp Note: Only outgoing SYN packets for TCP connections are logged, other
-sharp protocols log all packets
-sharp
-sharp We recommend that you enable this option
DROP_OUT_LOGGING = "1"

-sharp Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting
-sharp out (where available) which can help track abuse
DROP_UID_LOGGING = "1"

-sharp Only log incoming reserved port dropped connections (0:1023). This can reduce
-sharp the amount of log noise from dropped connections, but will affect options
-sharp such as Port Scan Tracking (PS_INTERVAL)
DROP_ONLYRES = "0"

-sharp Commonly blocked ports that you do not want logging as they tend to just fill
-sharp up the log file. These ports are specifically blocked (applied to TCP and UDP
-sharp protocols) for incoming connections
DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"

-sharp Log packets dropped by the packet filtering option PACKET_FILTER
DROP_PF_LOGGING = "0"

-sharp Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
-sharp this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
-sharp addresses breaking the Connection Limit Protection will be blocked
CONNLIMIT_LOGGING = "0"

-sharp Enable logging of UDP floods. This should be enabled, especially with User ID
-sharp Tracking enabled
UDPFLOOD_LOGGING = "1"

-sharp Send an alert if log file flooding is detected which causes lfd to skip log
-sharp lines to prevent lfd from looping. If this alert is sent you should check the
-sharp reported log file for the reason for the flooding
LOGFLOOD_ALERT = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Reporting Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp By default, lfd will send alert emails using the relevant alert template to
-sharp the To: address configured within that template. Setting the following
-sharp option will override the configured To: field in all lfd alert emails
-sharp
-sharp Leave this option empty to use the To: field setting in each alert template
LF_ALERT_TO = ""

-sharp By default, lfd will send alert emails using the relevant alert template from
-sharp the From: address configured within that template. Setting the following
-sharp option will override the configured From: field in all lfd alert emails
-sharp
-sharp Leave this option empty to use the From: field setting in each alert template
LF_ALERT_FROM = ""

-sharp By default, lfd will send all alerts using the SENDMAIL binary. To send using
-sharp SMTP directly, you can set the following to a relaying SMTP server, e.g.
-sharp "127.0.0.1". Leave this setting blank to use SENDMAIL
LF_ALERT_SMTP = ""

-sharp Block Reporting. lfd can run an external script when it performs and IP
-sharp address block following for example a login failure. The following setting
-sharp is to the full path of the external script which must be executable. See
-sharp readme.txt for format details
-sharp
-sharp Leave this setting blank to disable
BLOCK_REPORT = ""

-sharp To also run an external script when a temporary block is unblocked. The
-sharp following setting can be the full path of the external script which must be
-sharp executable. See readme.txt for format details
-sharp
-sharp Leave this setting blank to disable
UNBLOCK_REPORT = ""

-sharp In addition to the standard lfd email alerts, you can additionally enable the
-sharp sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only
-sharp block alert messages will be sent. The reports use our schema at:
-sharp https://download.configserver.com/abuse_login-attack_0.2.json
-sharp
-sharp These reports are in a format accepted by many Netblock owners and should
-sharp help them investigate abuse. This option is not designed to automatically
-sharp forward these reports to the Netblock owners and should be checked for
-sharp false-positive blocks before reporting
-sharp
-sharp If available, the report will also include the abuse contact for the IP from
-sharp the Abusix Contact DB: https://abusix.com/contactdb.html
-sharp
-sharp Note: The following block types are not reported through this feature:
-sharp LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
X_ARF = "0"

-sharp By default, lfd will send emails from the root forwarder. Setting the
-sharp following option will override this
X_ARF_FROM = ""

-sharp By default, lfd will send emails to the root forwarder. Setting the following
-sharp option will override this
X_ARF_TO = ""

-sharp If you want to automatically send reports to the abuse contact where found,
-sharp you can enable the following option
-sharp
-sharp Note: You MUST set X_ARF_FROM to a valid email address for this option to
-sharp work. This is so that the abuse contact can reply to the report
-sharp
-sharp However, you should be aware that without manual checking you could be
-sharp reporting innocent IP addresses, including your own clients, yourself and
-sharp your own servers
-sharp
-sharp Additionally, just because a contact address is found, does not mean that
-sharp there is anyone on the end of it reading, processing or acting on such
-sharp reports and you could conceivably reported for sending spam
-sharp
-sharp We do not recommend enabling this option. Abuse reports should be checked and
-sharp verified before being forwarded to the abuse contact
X_ARF_ABUSE = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Temp to Perm/Netblock Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Temporary to Permanent IP blocking. The following enables this feature to
-sharp permanently block IP addresses that have been temporarily blocked more than
-sharp LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
-sharp LF_PERMBLOCK  to "1" to enable this feature
-sharp
-sharp Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
-sharp at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
-sharp (TTL) for blocked IPs, to be effective
-sharp
-sharp Set LF_PERMBLOCK to "0" to disable this feature
LF_PERMBLOCK = "1"
LF_PERMBLOCK_INTERVAL = "86400"
LF_PERMBLOCK_COUNT = "4"
LF_PERMBLOCK_ALERT = "1"

-sharp Permanently block IPs by network class. The following enables this feature
-sharp to permanently block classes of IP address where individual IP addresses
-sharp within the same class LF_NETBLOCK_CLASS have already been blocked more than
-sharp LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
-sharp LF_NETBLOCK  to "1" to enable this feature
-sharp
-sharp This can be an affective way of blocking DDOS attacks launched from within
-sharp the same network class
-sharp
-sharp Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
-sharp consideration is required when blocking network classes A or B
-sharp
-sharp Set LF_NETBLOCK to "0" to disable this feature
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
LF_NETBLOCK_ALERT = "1"

-sharp Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24"
-sharp Great care should be taken with IPV6 netblock ranges due to the large number
-sharp of addresses involved
-sharp
-sharp To disable IPv6 netblocks set to ""
LF_NETBLOCK_IPV6 = ""

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Global Lists/DYNDNS/Blocklists
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
-sharp SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
-sharp chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
-sharp chain, then flush and delete the old dynamic chain and rename the new chain.
-sharp
-sharp This prevents a small window of opportunity opening when an update occurs and
-sharp the dynamic chain is flushed for the new rules.
-sharp
-sharp This option should not be enabled on servers with long dynamic chains (e.g.
-sharp CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
-sharp Virtuozzo VPS servers with a restricted numiptent value. This is because each
-sharp chain will effectively be duplicated while the update occurs, doubling the
-sharp number of iptables rules
SAFECHAINUPDATE = "0"

-sharp If you wish to allow access from dynamic DNS records (for example if your IP
-sharp address changes whenever you connect to the internet but you have a dedicated
-sharp dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
-sharp records in csf.dyndns and then set the following to the number of seconds to
-sharp poll for a change in the IP address. If the IP address has changed iptables
-sharp will be updated.
-sharp
-sharp If the FQDN has multiple A records then all of the IP addresses will be
-sharp processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
-sharp also be allowed.
-sharp 
-sharp A setting of 600 would check for IP updates every 10 minutes. Set the value
-sharp to 0 to disable the feature
DYNDNS = "0"

-sharp To always ignore DYNDNS IP addresses in lfd blocking, set the following
-sharp option to 1
DYNDNS_IGNORE = "0"

-sharp The follow Global options allow you to specify a URL where csf can grab a
-sharp centralised copy of an IP allow or deny block list of your own. You need to
-sharp specify the full URL in the following options, i.e.:
-sharp http://www.somelocation.com/allow.txt
-sharp
-sharp The actual retrieval of these IP"s is controlled by lfd, so you need to set
-sharp LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
-sharp will perform the retrieval when it runs and then again at the specified
-sharp interval. A sensible interval would probably be every 3600 seconds (1 hour).
-sharp A minimum value of 300 is enforced for LF_GLOBAL if enabled
-sharp
-sharp You do not have to specify both an allow and a deny file
-sharp
-sharp You can also configure a global ignore file for IP"s that lfd should ignore
LF_GLOBAL = "0"

GLOBAL_ALLOW = ""
GLOBAL_DENY = ""
GLOBAL_IGNORE = ""

-sharp Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
-sharp this to the URL of the file containing DYNDNS entries
GLOBAL_DYNDNS = ""

-sharp Set the following to the number of seconds to poll for a change in the IP
-sharp address resoved from GLOBAL_DYNDNS
GLOBAL_DYNDNS_INTERVAL = "600"

-sharp To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
-sharp option to 1
GLOBAL_DYNDNS_IGNORE = "0"

-sharp Blocklists are controlled by modifying /etc/csf/csf.blocklists
-sharp
-sharp If you don"t want BOGON rules applied to specific NICs, then list them in
-sharp a comma separated list (e.g "eth1,eth2")
LF_BOGON_SKIP = ""

-sharp The following option can be used to select either HTTP::Tiny or
-sharp LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than
-sharp LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may
-sharp have to be installed manually, but it can better support https:// URL"s
-sharp which also needs the LWP::Protocol::https perl module
-sharp
-sharp For example:
-sharp
-sharp On rpm based systems:
-sharp 
-sharp   yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
-sharp
-sharp On APT based systems:
-sharp
-sharp   apt-get install libwww-perl liblwp-protocol-https-perl
-sharp
-sharp Via cpan:
-sharp
-sharp   perl -MCPAN -eshell
-sharp   cpan> install LWP LWP::Protocol::https
-sharp
-sharp We recommend setting this set to "2" as upgrades to csf will be performed
-sharp over SSL to https://download.configserver.com
-sharp
-sharp "1" = HTTP::Tiny
-sharp "2" = LWP::UserAgent
URLGET = "2"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Country Code Lists and Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Country Code to CIDR allow/deny. In the following two options you can allow
-sharp or deny whole country CIDR ranges. The CIDR blocks are generated from the
-sharp MaxMind GeoLite2 Country database at:
-sharp https://dev.MaxMind.com/geoip/geoip2/geolite2/
-sharp This feature relies entirely on that service being available
-sharp
-sharp Specify the the two-letter ISO Country Code(s). The iptables rules are for
-sharp incoming connections only
-sharp
-sharp Additionally, ASN numbers can also be added to the comma separated lists
-sharp below that also list Country Codes. The same WARNINGS for Country Codes apply
-sharp to the use of ASNs. More about Autonomous System Numbers (ASN):
-sharp http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
-sharp
-sharp You should consider using LF_IPSET when using any of the following options
-sharp
-sharp WARNING: These lists are never 100% accurate and some ISP"s (e.g. AOL) use
-sharp non-geographic IP address designations for their clients
-sharp
-sharp WARNING: Some of the CIDR lists are huge and each one requires a rule within
-sharp the incoming iptables chain. This can result in significant performance
-sharp overheads and could render the server inaccessible in some circumstances. For
-sharp this reason (amongst others) we do not recommend using these options
-sharp
-sharp WARNING: Due to the resource constraints on VPS servers this feature should
-sharp not be used on such systems unless you choose very small CC zones
-sharp
-sharp WARNING: CC_ALLOW allows access through all ports in the firewall. For this
-sharp reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
-sharp preferred
-sharp
-sharp Each option is a comma separated list of CC"s, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""

-sharp An alternative to CC_ALLOW is to only allow access from the following
-sharp countries but still filter based on the port and packets rules. All other
-sharp connections are dropped
CC_ALLOW_FILTER = ""

-sharp This option allows access from the following countries to specific ports
-sharp listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
-sharp
-sharp Note: The rules for this feature are inserted after the allow and deny
-sharp rules to still allow blocking of IP addresses
-sharp
-sharp Each option is a comma separated list of CC"s, e.g. "US,GB,DE"
CC_ALLOW_PORTS = ""

-sharp All listed ports should be removed from TCP_IN/UDP_IN to block access from
-sharp elsewhere. This option uses the same format as TCP_IN/UDP_IN
-sharp
-sharp An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
-sharp then only counties listed in CC_ALLOW_PORTS can access FTP
CC_ALLOW_PORTS_TCP = ""
CC_ALLOW_PORTS_UDP = ""

-sharp This option denies access from the following countries to specific ports
-sharp listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
-sharp
-sharp Note: The rules for this feature are inserted after the allow and deny
-sharp rules to still allow allowing of IP addresses
-sharp
-sharp Each option is a comma separated list of CC"s, e.g. "US,GB,DE"
CC_DENY_PORTS = ""

-sharp This option uses the same format as TCP_IN/UDP_IN. The ports listed should
-sharp NOT be removed from TCP_IN/UDP_IN
-sharp
-sharp An example would be to list port 21 here then counties listed in
-sharp CC_DENY_PORTS cannot access FTP
CC_DENY_PORTS_TCP = ""
CC_DENY_PORTS_UDP = ""

-sharp This Country Code list will prevent lfd from blocking IP address hits for the
-sharp listed CC"s
-sharp
-sharp CC_LOOKUPS must be enabled to use this option
CC_IGNORE = ""

-sharp This Country Code list will only allow SMTP AUTH to be advertised to the
-sharp listed countries in EXIM. This is to help limit attempts at distributed
-sharp attacks against SMTP AUTH which are difficult to achive since port 25 needs
-sharp to be open to relay email
-sharp
-sharp The reason why this works is that if EXIM does not advertise SMTP AUTH on a
-sharp connection, then SMTP AUTH will not accept logins, defeating the attacks
-sharp without restricting mail relaying
-sharp
-sharp This option can generate a very large list of IP addresses that could easily
-sharp severely impact on SMTP (mail) performance, so care must be taken when
-sharp selecting countries and if performance issues ensue
-sharp
-sharp The option SMTPAUTH_RESTRICT must be enabled to use this option
CC_ALLOW_SMTPAUTH = ""

-sharp Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
-sharp than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
-sharp help reduce the number of CC entries and may improve iptables throughput.
-sharp Obviously, this will deny/allow fewer IP addresses depending on how small you
-sharp configure the option
-sharp
-sharp For example, to ignore all CIDR (and single IP) entries small than a /16, set
-sharp this option to "16". Set to "" to block all CC IP addresses
CC_DROP_CIDR = ""

-sharp Display Country Code and Country for reported IP addresses. This option can
-sharp be configured to use the MaxMind Country Database or the more detailed (and
-sharp much larger and therefore slower) MaxMind City Database. An additional option
-sharp is also available if you cannot use the MaxMind databases
-sharp
-sharp "0" - disable
-sharp "1" - Reports: Country Code and Country
-sharp "2" - Reports: Country Code and Country and Region and City
-sharp "3" - Reports: Country Code and Country and Region and City and ASN
-sharp "4" - Reports: Country Code and Country and Region and City (freegeoip.net)
-sharp
-sharp Note: "4" does not use the MaxMind databases directly for lookups. Instead it
-sharp uses a URL-based lookup from a third-party provider at https://freegeoip.net
-sharp and so avoids having to download and process the large databases. Please
-sharp visit the https://freegeoip.net and read their limitations and respect that
-sharp this option will either cease to function or be removed by us if that site is
-sharp abused or overloaded. ONLY use this option if you have difficulties using the
-sharp MaxMind databases. This option is ONLY for IP lookups, NOT when using the
-sharp CC_* options above, which will continue to use the MaxMind databases
-sharp
CC_LOOKUPS = "1"

-sharp Display Country Code and Country for reported IPv6 addresses using the
-sharp MaxMind Country IPv6 Database
-sharp
-sharp "0" - disable
-sharp "1" - enable and report the detail level as specified in CC_LOOKUPS
-sharp
-sharp This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and
-sharp PORTFLOOD
CC6_LOOKUPS = "0"

-sharp This option tells lfd how often to retrieve the MaxMind GeoLite2 Country
-sharp database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
-sharp days)
CC_INTERVAL = "14"


nginx.conf is configured as follows


-sharpuser  nobody;
worker_processes  1;

-sharperror_log  logs/error.log;
-sharperror_log  logs/error.log  notice;
-sharperror_log  logs/error.log  info;

-sharppid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    -sharplog_format  main  "$remote_addr - $remote_user [$time_local] "$request" "
    -sharp                  "$status $body_bytes_sent "$http_referer" "
    -sharp                  ""$http_user_agent" "$http_x_forwarded_for"";

    -sharpaccess_log  logs/access.log  main;

    sendfile        on;
    -sharptcp_nopush     on;

    -sharpkeepalive_timeout  0;
    keepalive_timeout  65;

    client_max_body_size 8m;    -sharp
    client_body_buffer_size 2m;  -sharp

    gzip  on;
    -sharpWAF
    lua_shared_dict limit 50m;
    lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
    init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
    access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";

    server {
        listen       127.0.0.1;
        server_name  mywebsiteip.com;

        -sharpcharset koi8-r;

        -sharpaccess_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.php index.html index.htm;
        }

        -sharperror_page  404              /404.html;

        -sharp redirect server error pages to the static page /50x.html
        -sharp
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        -sharp proxy the PHP scripts to Apache listening on 127.0.0.1:80
        -sharp
        -sharplocation ~ \.php$ {
        -sharp    proxy_pass   http://127.0.0.1;
        -sharp}

        -sharp pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        -sharp
        location ~ \.php$ {
            root           html;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }

        -sharp deny access to .htaccess files, if Apache"s document root
        -sharp concurs with nginx"s one
        -sharp
        -sharplocation ~ /\.ht {
        -sharp    deny  all;
        -sharp}
    }


    -sharp another virtual host using mix of IP-, name-, and port-based configuration
    -sharp
    -sharpserver {
    -sharp    listen       8000;
    -sharp    listen       somename:8080;
    -sharp    server_name  somename  alias  another.alias;

    -sharp    location / {
    -sharp        root   html;
    -sharp        index  index.html index.htm;
    -sharp    }
    -sharp}


    -sharp HTTPS server
    -sharp
    -sharpserver {
    -sharp    listen       443 ssl;
    -sharp    server_name  localhost;

    -sharp    ssl_certificate      cert.pem;
    -sharp    ssl_certificate_key  cert.key;

    -sharp    ssl_session_cache    shared:SSL:1m;
    -sharp    ssl_session_timeout  5m;

    -sharp    ssl_ciphers  HIGH:!aNULL:!MD5;
    -sharp    ssl_prefer_server_ciphers  on;

    -sharp    location / {
    -sharp        root   html;
    -sharp        index  index.html index.htm;
    -sharp    }
    -sharp}

}
Mar.21,2021

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Login Failure Blocking and Alerts
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp The following[*] triggers are application specific. If you set LF_TRIGGER to
-sharp "0" the value of each trigger is the number of failures against that
-sharp application that will trigger lfd to block the IP address
-sharp
-sharp If you set LF_TRIGGER to a value greater than "0" then the following[*]
-sharp application triggers are simply on or off ("0" or "1") and the value of
-sharp LF_TRIGGER is the total cumulative number of failures that will trigger lfd
-sharp to block the IP address
-sharp
-sharp Setting the application trigger to "0" disables it
LF_TRIGGER = "0"

-sharp If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
-sharp block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
-sharp "1" and the IP address will be blocked temporarily for that value in seconds.
-sharp For example:
-sharp LF_TRIGGER_PERM = "1" => the IP is blocked permanently
-sharp LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
-sharp
-sharp If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
-sharp in the same way as above and LF_TRIGGER_PERM serves no function
LF_TRIGGER_PERM = "1"

-sharp To only block access to the failed application instead of a complete block
-sharp for an ip address, you can set the following to "1", but LF_TRIGGER must be
-sharp set to "0" with specific application[*] trigger levels also set appropriately
-sharp
-sharp The ports that are blocked can be configured by changing the PORTS_* options
LF_SELECT = "0"

-sharp Send an email alert if an IP address is blocked by one of the [*] triggers
LF_EMAIL_ALERT = "1"

-sharp [*]Enable login failure detection of sshd connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_SSHD = "5"
LF_SSHD_PERM = "1"

-sharp [*]Enable login failure detection of ftp connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_FTPD = "10"
LF_FTPD_PERM = "1"

-sharp [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"

-sharp [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"

-sharp [*]Enable login failure detection of pop3 connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = "0"
LF_POP3D_PERM = "1"

-sharp [*]Enable login failure detection of imap connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = "0"
LF_IMAPD_PERM = "1"

-sharp [*]Enable login failure detection of Apache .htpasswd connections
-sharp Due to the often high logging rate in the Apache error log, you might want to
-sharp enable this option only if you know you are suffering from attacks against
-sharp password protected directories
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"

-sharp [*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"

-sharp [*]Enable detection of repeated BIND denied requests
-sharp This option should be enabled with care as it will prevent blocked IPs from
-sharp resolving any domains on the server. You might want to set the trigger value
-sharp reasonably high to avoid this
-sharp Example: LF_BIND = "100"
LF_BIND = "0"
LF_BIND_PERM = "1"

-sharp [*]Enable detection of repeated suhosin ALERTs
-sharp Example: LF_SUHOSIN = "5"
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_SUHOSIN = "0"
LF_SUHOSIN_PERM = "1"

-sharp [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
-sharp This option will block IP addresses if cxs detects a hits from the
-sharp ModSecurity rule associated with it
-sharp
-sharp Note: This option takes precedence over LF_MODSEC and removes any hits
-sharp counted towards LF_MODSEC for the cxs rule
-sharp
-sharp This setting should probably set very low, perhaps to 1, if you want to
-sharp effectively block IP addresses for this trigger option
LF_CXS = "0"
LF_CXS_PERM = "1"

-sharp [*]Enable detection of repeated Apache mod_qos rule triggers
LF_QOS = "0"
LF_QOS_PERM = "1"

-sharp [*]Enable detection of repeated Apache symlink race condition triggers from
-sharp the Apache patch provided by:
-sharp http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
-sharp This patch has also been included by cPanel via the easyapache option:
-sharp "Symlink Race Condition Protection"
LF_SYMLINK = "0"
LF_SYMLINK_PERM = "1"

-sharp [*]Enable login failure detection of webmin connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN = "0"
LF_WEBMIN_PERM = "1"

-sharp Send an email alert if anyone logs in successfully using SSH
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_SSH_EMAIL_ALERT = "1"

-sharp Send an email alert if anyone uses su to access another account. This will
-sharp send an email alert whether the attempt to use su was successful or not
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_SU_EMAIL_ALERT = "1"

-sharp Send an email alert if anyone accesses webmin
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN_EMAIL_ALERT = "1"

-sharp Send an email alert if anyone logs in successfully to root on the console
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_CONSOLE_EMAIL_ALERT = "1"

-sharp This option will keep track of the number of "File does not exist" errors in
-sharp HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
-sharp seconds then the IP address will be blocked
-sharp
-sharp Care should be used with this option as it could generate many
-sharp false-positives, especially Search Bots (use csf.rignore to ignore such bots)
-sharp so only use this option if you know you are under this type of attack
-sharp
-sharp A sensible setting for this would be quite high, perhaps 200
-sharp
-sharp To disable set to "0"
LF_APACHE_404 = "0"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_APACHE_404_PERM = "3600"

-sharp This option will keep track of the number of "client denied by server
-sharp configuration" errors in HTACCESS_LOG. If the number of hits is more than
-sharp LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
-sharp
-sharp Care should be used with this option as it could generate many
-sharp false-positives, especially Search Bots (use csf.rignore to ignore such bots)
-sharp so only use this option if you know you are under this type of attack
-sharp
-sharp A sensible setting for this would be quite high, perhaps 200
-sharp
-sharp To disable set to "0"
LF_APACHE_403 = "0"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_APACHE_403_PERM = "3600"

-sharp This option will keep track of the number of 401 failures in HTACCESS_LOG.
-sharp If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then
-sharp the IP address will be blocked
-sharp
-sharp To disable set to "0"
LF_APACHE_401 = "0"

-sharp This option is used to determine if the Apache error_log format contains the
-sharp client port after the client IP. In Apache prior to v2.4, this was not the
-sharp case. In Apache v2.4+ the error_log format can be configured using
-sharp ErrorLogFormat, making the port directive optional
-sharp
-sharp Unfortunately v2.4 ErrorLogFormat places the port number after a colon next
-sharp to the client IP by default. This makes determining client IPv6 addresses
-sharp difficult unless we know whether the port is being appended or not
-sharp
-sharp lfd will attempt to autodetect the correct value if this option is set to "0"
-sharp from the httpd binary found in common locations. If it fails to find a binary
-sharp it will be set to "2", unless specified here
-sharp
-sharp The value can be set here explicitly if the autodetection does not work:
-sharp 0 - autodetect
-sharp 1 - no port directive after client IP
-sharp 2 - port directive after client IP
LF_APACHE_ERRPORT = "0"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_APACHE_401_PERM = "3600"

-sharp This option will send an alert if the ModSecurity IP persistent storage grows
-sharp excessively large: https://goo.gl/rGh5sF
-sharp
-sharp More information on cPanel servers here: https://goo.gl/vo6xTE
-sharp
-sharp LF_MODSECIPDB_FILE must be set to the correct location of the database file
-sharp
-sharp The check is performed at lfd startup and then once per hour, the template
-sharp used is modsecipdbalert.txt
-sharp
-sharp Set to "0" to disable this option, otherwise it is the threshold size of the
-sharp file to report in gigabytes, e.g. set to 5 for 5GB
LF_MODSECIPDB_ALERT = "0"

-sharp This is the location of the persistent IP storage file on the server, e.g.:
-sharp /var/run/modsecurity/data/ip.pag
-sharp /var/cpanel/secdatadir/ip.pag
-sharp /var/cache/modsecurity/ip.pag
-sharp /usr/local/apache/conf/modsec/data/msa/ip.pag
-sharp /var/tmp/ip.pag
-sharp /tmp/ip.pag
LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"

-sharp System Exploit Checking. This option is designed to perform a series of tests
-sharp to send an alert in case a possible server compromise is detected
-sharp
-sharp To enable this feature set the following to the checking interval in seconds
-sharp (a value of 300 would seem sensible).
-sharp
-sharp To disable set to "0"
LF_EXPLOIT = "300"

-sharp This comma separated list allows you to ignore tests LF_EXPLOIT performs
-sharp
-sharp For the SUPERUSER check, you can list usernames in csf.suignore to have them
-sharp ignored for that test
-sharp
-sharp Valid tests are:
-sharp SUPERUSER,SSHDSPAM
-sharp
-sharp If you want to ignore a test add it to this as a comma separated list, e.g.
-sharp "SUPERUSER,SSHDSPAM"
LF_EXPLOIT_IGNORE = ""

-sharp Set the time interval to track login and other LF_ failures within (seconds),
-sharp i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
LF_INTERVAL = "3600"

-sharp This is how long the lfd process sleeps (in seconds) before processing the
-sharp log file entries and checking whether other events need to be triggered
LF_PARSE = "5"

-sharp This is the interval that is used to flush reports of usernames, files and
-sharp pids so that persistent problems continue to be reported, in seconds.
-sharp A value of 3600 seems sensible
LF_FLUSH = "3600"

-sharp Under some circumstances iptables can fail to include a rule instruction,
-sharp especially if more than one request is made concurrently. In this event, a
-sharp permanent block entry may exist in csf.deny, but not in iptables.
-sharp
-sharp This option instructs csf to deny an already blocked IP address the number
-sharp of times set. The downside, is that there will be multiple entries for an IP
-sharp address in csf.deny and possibly multiple rules for the same IP address in
-sharp iptables. This needs to be taken into consideration when unblocking such IP
-sharp addresses.
-sharp
-sharp Set to "0" to disable this feature. Do not set this too high for the reasons
-sharp detailed above (e.g. "5" should be more than enough)
LF_REPEATBLOCK = "0"

-sharp By default csf will create both an inbound and outbound blocks from/to an IP
-sharp unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
-sharp effective way to block IP traffic. This option instructs csf to only block
-sharp inbound traffic from those IP's and so reduces the number of iptables rules,
-sharp but at the expense of less effectiveness. For this reason we recommend
-sharp leaving this option disabled
-sharp 
-sharp Set to "0" to disable this feature - the default
LF_BLOCKINONLY = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:CloudFlare
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp This features provides interaction with the CloudFlare Firewall
-sharp
-sharp As CloudFlare is a reverse proxy, any attacking IP addresses (so far as 
-sharp iptables is concerned) come from the CloudFlare IP's. To counter this, an
-sharp Apache module (mod_cloudflare) is available that obtains the true attackers
-sharp IP from a custom HTTP header record (similar functionality is available
-sharp for other HTTP daemons
-sharp
-sharp However, despite now knowing the true attacking IP address, iptables cannot
-sharp be used to block that IP as the traffic is still coming from the CloudFlare
-sharp servers
-sharp
-sharp CloudFlare have provided a Firewall feature within the user account where
-sharp rules can be added to block, challenge or whitelist IP addresses
-sharp
-sharp Using the CloudFlare API, this feature adds and removes attacking IPs from
-sharp that firewall and provides CLI (and via the UI) additional commands
-sharp
-sharp See /etc/csf/readme.txt for more information about this feature and the
-sharp restrictions for its use BEFORE enabling this feature
CF_ENABLE = "0"

-sharp This can be set to either "block" or "challenge" (see CloudFlare docs)
CF_BLOCK = "block"

-sharp This setting determines how long the temporary block will apply within csf
-sharp and CloudFlare, keeping them in sync
-sharp
-sharp Block duration in seconds - overrides perm block or time of individual blocks
-sharp in lfd for block triggers
CF_TEMP = "3600"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Directory Watching & Integrity 
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Enable Directory Watching. This enables lfd to check /tmp and /dev/shm
-sharp directories for suspicious files, i.e. script exploits. If a suspicious
-sharp file is found an email alert is sent. One alert per file per LF_FLUSH
-sharp interval is sent
-sharp
-sharp To enable this feature set the following to the checking interval in seconds.
-sharp To disable set to "0"
LF_DIRWATCH = "300"

-sharp To remove any suspicious files found during directory watching, enable the
-sharp following. These files will be appended to a tarball in
-sharp /var/lib/csf/suspicious.tar
LF_DIRWATCH_DISABLE = "0"

-sharp This option allows you to have lfd watch a particular file or directory for
-sharp changes and should they change and email alert using watchalert.txt is sent
-sharp
-sharp To enable this feature set the following to the checking interval in seconds
-sharp (a value of 60 would seem sensible) and add your entries to csf.dirwatch
-sharp
-sharp Set to disable set to "0"
LF_DIRWATCH_FILE = "0"

-sharp System Integrity Checking. This enables lfd to compare md5sums of the
-sharp servers OS binary application files from the time when lfd starts. If the
-sharp md5sum of a monitored file changes an alert is sent. This option is intended
-sharp as an IDS (Intrusion Detection System) and is the last line of detection for
-sharp a possible root compromise.
-sharp
-sharp There will be constant false-positives as the servers OS is updated or
-sharp monitored application binaries are updated. However, unexpected changes
-sharp should be carefully inspected.
-sharp
-sharp Modified files will only be reported via email once.
-sharp
-sharp To enable this feature set the following to the checking interval in seconds
-sharp (a value of 3600 would seem sensible). This option may increase server I/O
-sharp load onto the server as it checks system binaries.
-sharp
-sharp To disable set to "0"
LF_INTEGRITY = "3600"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Distributed Attacks
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Distributed Account Attack. This option will keep track of login failures
-sharp from distributed IP addresses to a specific application account. If the
-sharp number of failures matches the trigger value above, ALL of the IP addresses
-sharp involved in the attack will be blocked according to the temp/perm rules above
-sharp
-sharp Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, 
-sharp LF_HTACCESS
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_DISTATTACK = "0"

-sharp Set the following to the minimum number of unique IP addresses that trigger
-sharp LF_DISTATTACK
LF_DISTATTACK_UNIQ = "2"

-sharp Distributed FTP Logins. This option will keep track of successful FTP logins.
-sharp If the number of successful logins to an individual account is at least
-sharp LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
-sharp then all of the IP addresses will be blocked
-sharp
-sharp This option can help mitigate the common FTP account compromise attacks that
-sharp use a distributed network of zombies to deface websites
-sharp
-sharp A sensible setting for this might be 5, depending on how many different
-sharp IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL
-sharp
-sharp To disable set to "0"
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_DISTFTP = "0"

-sharp Set the following to the minimum number of unique IP addresses that trigger
-sharp LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
LF_DISTFTP_UNIQ = "3"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_DISTFTP_PERM = "1"

-sharp Send an email alert if LF_DISTFTP is triggered
LF_DISTFTP_ALERT = "1"

-sharp Distributed SMTP Logins. This option will keep track of successful SMTP
-sharp logins. If the number of successful logins to an individual account is at
-sharp least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP
-sharp addresses, then all of the IP addresses will be blocked. These options only
-sharp apply to the exim MTA
-sharp
-sharp This option can help mitigate the common SMTP account compromise attacks that
-sharp use a distributed network of zombies to send spam
-sharp
-sharp A sensible setting for this might be 5, depending on how many different
-sharp IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL
-sharp
-sharp To disable set to "0"
LF_DISTSMTP = "0"

-sharp Set the following to the minimum number of unique IP addresses that trigger
-sharp LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
LF_DISTSMTP_UNIQ = "3"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_DISTSMTP_PERM = "1"

-sharp Send an email alert if LF_DISTSMTP is triggered
LF_DISTSMTP_ALERT = "1"

-sharp This is the interval during which a distributed FTP or SMTP attack is
-sharp measured
LF_DIST_INTERVAL = "300"

-sharp If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the
-sharp path to a script, it will run the script and pass the following as arguments:
-sharp
-sharp LF_DISTFTP/LF_DISTSMTP
-sharp account name
-sharp log file text
-sharp
-sharp The action script must have the execute bit and interpreter (shebang) set
LF_DIST_ACTION = ""

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Login Tracking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Block POP3 logins if greater than LT_POP3D times per hour per account per IP
-sharp address (0=disabled)
-sharp
-sharp This is a temporary block for the rest of the hour, afterwhich the IP is
-sharp unblocked
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LT_POP3D = "0"

-sharp Block IMAP logins if greater than LT_IMAPD times per hour per account per IP
-sharp address (0=disabled) - not recommended for IMAP logins due to the ethos
-sharp within which IMAP works. If you want to use this, setting it quite high is
-sharp probably a good idea
-sharp
-sharp This is a temporary block for the rest of the hour, afterwhich the IP is
-sharp unblocked
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LT_IMAPD = "0"

-sharp Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
-sharp per IP
LT_EMAIL_ALERT = "1"

-sharp If LF_PERMBLOCK is enabled but you do not want this to apply to
-sharp LT_POP3D/LT_IMAPD, then enable this option
LT_SKIPPERMBLOCK = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Connection Tracking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Connection Tracking. This option enables tracking of all connections from IP
-sharp addresses to the server. If the total number of connections is greater than
-sharp this value then the offending IP address is blocked. This can be used to help
-sharp prevent some types of DOS attack.
-sharp
-sharp Care should be taken with this option. It's entirely possible that you will
-sharp see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
-sharp and HTTP so it could be quite easy to trigger, especially with a lot of
-sharp closed connections in TIME_WAIT. However, for a server that is prone to DOS
-sharp attacks this may be very useful. A reasonable setting for this option might
-sharp be around 300.
-sharp
-sharp To disable this feature, set this to 0
CT_LIMIT = "1500"

-sharp Connection Tracking interval. Set this to the the number of seconds between
-sharp connection tracking scans
CT_INTERVAL = "30"

-sharp Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = "1"

-sharp If you want to make IP blocks permanent then set this to 1, otherwise blocks
-sharp will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = "0"

-sharp If you opt for temporary IP blocks for CT, then the following is the interval
-sharp in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = "1800"

-sharp If you don't want to count the TIME_WAIT state against the connection count
-sharp then set the following to "1"
CT_SKIP_TIME_WAIT = "0"

-sharp If you only want to count specific states (e.g. SYN_RECV) then add the states
-sharp to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
-sharp
-sharp Leave this option empty to count all states against CT_LIMIT
CT_STATES = ""

-sharp If you only want to count specific ports (e.g. 80,443) then add the ports
-sharp to the following as a comma separated list. E.g. "80,443"
-sharp
-sharp Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = ""

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Process Tracking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Process Tracking. This option enables tracking of user and nobody processes
-sharp and examines them for suspicious executables or open network ports. Its
-sharp purpose is to identify potential exploit processes that are running on the
-sharp server, even if they are obfuscated to appear as system services. If a
-sharp suspicious process is found an alert email is sent with relevant information.
-sharp It is then the responsibility of the recipient to investigate the process
-sharp further as the script takes no further action
-sharp
-sharp The following is the number of seconds a process has to be active before it
-sharp is inspected. If you set this time too low, then you will likely trigger
-sharp false-positives with CGI or PHP scripts.
-sharp Set the value to 0 to disable this feature
PT_LIMIT = "60"

-sharp How frequently processes are checked in seconds
PT_INTERVAL = "60"

-sharp If you want process tracking to highlight php or perl scripts that are run
-sharp through apache then disable the following,
-sharp i.e. set it to 0
-sharp
-sharp While enabling this setting will reduce false-positives, having it set to 0
-sharp does provide better checking for exploits running on the server
PT_SKIP_HTTP = "0"

-sharp lfd will report processes, even if they're listed in csf.pignore, if they're
-sharp tagged as (deleted) by Linux. This information is provided in Linux under
-sharp /proc/PID/exe. A (deleted) process is one that is running a binary that has
-sharp the inode for the file removed from the file system directory. This usually
-sharp happens when the binary has been replaced due to an upgrade for it by the OS
-sharp vendor or another third party (e.g. cPanel). You need to investigate whether
-sharp this is indeed the case to be sure that the original binary has not been
-sharp replaced by a rootkit or is running an exploit.
-sharp
-sharp Note: If a deleted executable process is detected and reported then lfd will
-sharp not report children of the parent (or the parent itself if a child triggered
-sharp the report) if the parent is also a deleted executable process
-sharp
-sharp To stop lfd reporting such process you need to restart the daemon to which it
-sharp belongs and therefore run the process using the replacement binary (presuming
-sharp one exists). This will normally mean running the associated startup script in
-sharp /etc/init.d/
-sharp
-sharp If you do want lfd to report deleted binary processes, set to 1
PT_DELETED = "0"

-sharp If a PT_DELETED event is triggered, then if the following contains the path to
-sharp a script, it will be run in a child process and passed the executable, pid,
-sharp account for the process, and parent pid
-sharp
-sharp The action script must have the execute bit and interpreter (shebang) set. An
-sharp example is provided in /usr/local/csf/bin/pt_deleted_action.pl
-sharp
-sharp WARNING: Make sure you read and understand the potential security
-sharp implications of such processes in PT_DELETED above before simply restarting
-sharp such processes with a script
PT_DELETED_ACTION = ""

-sharp User Process Tracking. This option enables the tracking of the number of
-sharp process any given account is running at one time. If the number of processes
-sharp exceeds the value of the following setting an email alert is sent with
-sharp details of those processes. If you specify a user in csf.pignore it will be
-sharp ignored
-sharp
-sharp Set to 0 to disable this feature
PT_USERPROC = "10"

-sharp This User Process Tracking option sends an alert if any user process exceeds
-sharp the virtual memory usage set (MB). To ignore specific processes or users use
-sharp csf.pignore
-sharp
-sharp Set to 0 to disable this feature
PT_USERMEM = "512"

-sharp This User Process Tracking option sends an alert if any user process exceeds
-sharp the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific
-sharp processes or users use csf.pignore
-sharp
-sharp Set to 0 to disable this feature
PT_USERRSS = "256"

-sharp This User Process Tracking option sends an alert if any linux user process
-sharp exceeds the time usage set (seconds). To ignore specific processes or users
-sharp use csf.pignore
-sharp
-sharp Set to 0 to disable this feature
PT_USERTIME = "1800"

-sharp If this option is set then processes detected by PT_USERMEM, PT_USERTIME or
-sharp PT_USERPROC are killed
-sharp
-sharp Warning: We don't recommend enabling this option unless absolutely necessary
-sharp as it can cause unexpected problems when processes are suddenly terminated.
-sharp It can also lead to system processes being terminated which could cause
-sharp stability issues. It is much better to leave this option disabled and to
-sharp investigate each case as it is reported when the triggers above are breached
-sharp
-sharp Note: Processes that are running deleted excecutables (see PT_DELETED) will
-sharp not be killed by lfd
PT_USERKILL = "0"

-sharp If you want to disable email alerts if PT_USERKILL is triggered, then set
-sharp this option to 0
PT_USERKILL_ALERT = "1"

-sharp If a PT_* event is triggered, then if the following contains the path to
-sharp a script, it will be run in a child process and passed the PID(s) of the
-sharp process(es) in a comma separated list.
-sharp
-sharp The action script must have the execute bit and interpreter (shebang) set
PT_USER_ACTION = ""

-sharp Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and
-sharp defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the
-sharp load average is greater than or equal to PT_LOAD_LEVEL then an email alert is
-sharp sent. lfd then does not report subsequent high load until PT_LOAD_SKIP
-sharp seconds has passed to prevent email floods.
-sharp
-sharp Set PT_LOAD to "0" to disable this feature
PT_LOAD = "30"
PT_LOAD_AVG = "5"
PT_LOAD_LEVEL = "6"
PT_LOAD_SKIP = "3600"

-sharp This is the Apache Server Status URL used in the email alert. Requires the
-sharp Apache mod_status module to be installed and configured correctly
PT_APACHESTATUS = "http://127.0.0.1/server-status"

-sharp If a PT_LOAD event is triggered, then if the following contains the path to
-sharp a script, it will be run in a child process. For example, the script could
-sharp contain commands to terminate and restart httpd, php, exim, etc incase of
-sharp looping processes. The action script must have the execute bit an 
-sharp interpreter (shebang) set
PT_LOAD_ACTION = ""

-sharp Fork Bomb Protection. This option checks the number of processes with the
-sharp same session id and if greater than the value set, the whole session tree is
-sharp terminated and an alert sent
-sharp
-sharp You can see an example of common session id processes on most Linux systems
-sharp using: "ps axf -O sid"
-sharp
-sharp On cPanel servers, PT_ALL_USERS should be enabled to use this option
-sharp effectively
-sharp
-sharp This option will check root owned processes. Session id 0 and 1 will always
-sharp be ignored as they represent kernel and init processes. csf.pignore will be
-sharp honoured, but bear in mind that a session tree can contain a variety of users
-sharp and executables
-sharp
-sharp Care needs to be taken to ensure that this option only detects runaway fork
-sharp bombs, so should be set higher than any session tree is likely to get (e.g.
-sharp httpd could have 100s of legitimate children on very busy systems). A
-sharp sensible starting point on most servers might be 250
PT_FORKBOMB = "0"

-sharp Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes
-sharp are often left hanging after their connecting IP addresses have been blocked
-sharp
-sharp This option will terminate the SSH processes created by the blocked IP. This
-sharp option is preferred over PT_SSHDHUNG
PT_SSHDKILL = "0"

-sharp This option will terminate all processes with the cmdline of "sshd: unknown
-sharp [net]" or "sshd: unknown [priv]" if they have been running for more than 60
-sharp seconds
PT_SSHDHUNG = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Port Scan Tracking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Port Scan Tracking. This feature tracks port blocks logged by iptables to
-sharp syslog. If an IP address generates a port block that is logged more than
-sharp PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.
-sharp
-sharp This feature could, for example, be useful for blocking hackers attempting
-sharp to access the standard SSH port if you have moved it to a port other than 22
-sharp and have removed 22 from the TCP_IN list so that connection attempts to the
-sharp old port are being logged
-sharp
-sharp This feature blocks all iptables blocks from the iptables logs, including
-sharp repeated attempts to one port or SYN flood blocks, etc
-sharp
-sharp Note: This feature will only track iptables blocks from the log file set in
-sharp IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will
-sharp cause redundant blocking with DROP_IP_LOGGING enabled
-sharp
-sharp Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)
-sharp could very quickly fill the iptables rule chains and cause a DOS in itself.
-sharp The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks
-sharp and the DENY_TEMP_IP_LIMIT with temporary blocks
-sharp
-sharp Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300
-sharp would be sensible to enable this feature
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
PS_INTERVAL = "0"
PS_LIMIT = "10"

-sharp You can specify the ports and/or port ranges that should be tracked by the
-sharp Port Scan Tracking feature. The following setting is a comma separated list
-sharp of those ports and uses the same format as TCP_IN. The setting of
-sharp 0:65535,ICMP,INVALID,OPEN,BRD covers all ports
-sharp
-sharp Special values are:
-sharp   ICMP    - include ICMP blocks (see ICMP_*)
-sharp   INVALID - include INVALID blocks (see PACKET_FILTER)
-sharp   OPEN    - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*
-sharp   BRD     - include UDP Broadcast IPs, otherwise they are ignored
PS_PORTS = "0:65535,ICMP"

-sharp To specify how many different ports qualifies as a Port Scan you can increase
-sharp the following from the default value of 1. The risk in doing so will mean
-sharp that persistent attempts to attack a specific closed port will not be
-sharp detected and blocked
PS_DIVERSITY = "1"

-sharp You can select whether IP blocks for Port Scan Tracking should be temporary
-sharp or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent
-sharp blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to
-sharp temporarily block the IP address for
PS_PERMANENT = "0"
PS_BLOCK_TIME = "3600"

-sharp Set the following to "1" to enable Port Scan Tracking email alerts, set to
-sharp "0" to disable them
PS_EMAIL_ALERT = "1"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:User ID Tracking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp User ID Tracking. This feature tracks UID blocks logged by iptables to
-sharp syslog. If a UID generates a port block that is logged more than UID_LIMIT
-sharp times within UID_INTERVAL seconds, an alert will be sent
-sharp
-sharp Note: This feature will only track iptables blocks from the log file set in
-sharp IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.
-sharp
-sharp To ignore specific UIDs list them in csf.uidignore and then restart lfd
-sharp
-sharp Set UID_INTERVAL to "0" to disable this feature. A value of between 60 and 300
-sharp would be sensible to enable this feature
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
UID_INTERVAL = "0"
UID_LIMIT = "10"

-sharp You can specify the ports and/or port ranges that should be tracked by the
-sharp User ID Tracking feature. The following setting is a comma separated list
-sharp of those ports and uses the same format as TCP_OUT. The default setting of
-sharp 0:65535,ICMP covers all ports
UID_PORTS = "0:65535,ICMP"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Account Tracking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Account Tracking. The following options enable the tracking of modifications
-sharp to the accounts on a server. If any of the enabled options are triggered by
-sharp a modifications to an account, an alert email is sent. Only the modification
-sharp is reported. The cause of the modification will have to be investigated
-sharp manually
-sharp
-sharp You can set AT_ALERT to the following:
-sharp 0 = disable this feature
-sharp 1 = enable this feature for all accounts
-sharp 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)
-sharp 3 = enable this feature only for the root account
AT_ALERT = "2"

-sharp This options is the interval between checks in seconds
AT_INTERVAL = "60"

-sharp Send alert if a new account is created
AT_NEW = "1"

-sharp Send alert if an existing account is deleted
AT_OLD = "1"

-sharp Send alert if an account password has changed
AT_PASSWD = "1"

-sharp Send alert if an account uid has changed
AT_UID = "1"

-sharp Send alert if an account gid has changed
AT_GID = "1"

-sharp Send alert if an account login directory has changed
AT_DIR = "1"

-sharp Send alert if an account login shell has changed
AT_SHELL = "1"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Integrated User Interface
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Integrated User Interface. This feature provides a HTML UI to csf and lfd,
-sharp without requiring a control panel or web server. The UI runs as a sub process
-sharp to the lfd daemon
-sharp
-sharp As it runs under the root account and successful login provides root access
-sharp to the server, great care should be taken when configuring and using this
-sharp feature. There are additional restrictions to enhance secure access to the UI
-sharp
-sharp See readme.txt for more information about using this feature BEFORE enabling
-sharp it for security and access reasons
-sharp 
-sharp 1 to enable, 0 to disable
UI = "0"

-sharp Set this to the port that want to bind this service to. You should configure
-sharp this port to be >1023 and different from any other port already being used
-sharp
-sharp Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
-sharp to the port using Advanced Allow Filters (see readme.txt)
UI_PORT = "6666"

-sharp Optionally set the IP address to bind to. Normally this should be left blank
-sharp to bind to all IP addresses on the server.
-sharp
-sharp If the server is configured for IPv6 but the IP to bind to is IPv4, then the
-sharp IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
-sharp ::ffff:1.2.3.4
-sharp
-sharp Leave blank to bind to all IP addresses on the server
UI_IP = ""

-sharp This should be a secure, hard to guess username
-sharp 
-sharp This must be changed from the default
UI_USER = "username"

-sharp This should be a secure, hard to guess password. That is, at least 8
-sharp characters long with a mixture of upper and lowercase characters plus 
-sharp numbers and non-alphanumeric characters
-sharp
-sharp This must be changed from the default
UI_PASS = "password"

-sharp This is the login session timeout. If there is no activity for a logged in
-sharp session within this number of seconds, the session will timeout and a new
-sharp login will be required
-sharp
-sharp For security reasons, you should always keep this option low (i.e 60-300)
UI_TIMEOUT = "300"

-sharp This is the maximum concurrent connections allowed to the server. The default
-sharp value should be sufficient
UI_CHILDREN = "5"

-sharp The number of login retries allowed within a 24 hour period. A successful
-sharp login from the IP address will clear the failures
-sharp
-sharp For security reasons, you should always keep this option low (i.e 0-10)
UI_RETRY = "5"

-sharp If enabled, this option will add the connecting IP address to the file 
-sharp /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be
-sharp able to login to the UI while it is listed in this file. The UI_BAN setting
-sharp does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,
-sharp csf.ignore, etc.
-sharp
-sharp For security reasons, you should always enable this option
UI_BAN = "1"

-sharp If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will
-sharp be allowed to login to the UI. The UI_ALLOW setting does not refer to any of
-sharp the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.
-sharp
-sharp For security reasons, you should always enable this option and use ui.allow
UI_ALLOW = "1"

-sharp If enabled, this option will trigger an iptables block through csf after
-sharp UI_RETRY login failures
-sharp
-sharp 0 = no block;1 = perm block;nn=temp block for nn secs
UI_BLOCK = "1"

-sharp This controls what email alerts are sent with regards to logins to the UI. It
-sharp uses the uialert.txt template
-sharp
-sharp 4 = login success + login failure/ban/block + login attempts
-sharp 3 = login success + login failure/ban/block
-sharp 2 = login failure/ban/block
-sharp 1 = login ban/block
-sharp 0 = disabled
UI_ALERT = "4"

-sharp This is the SSL cipher list that the Integrated UI will negotiate from
UI_CIPHER = "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH"

-sharp This is the SSL protocol version used. See IO::Socket::SSL if you wish to
-sharp change this and to understand the implications of changing it
UI_SSL_VERSION = "SSLv23:!SSLv3:!SSLv2"

-sharp If cxs is installed then enabling this option will provide a dropdown box to
-sharp switch between applications
UI_CXS = "0"

-sharp There is a modified installation of ConfigServer Explorer (cse) provided with
-sharp the csf distribution. If this option is enabled it will provide a dropdown
-sharp box to switch between applications
UI_CSE = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Messenger service
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Messenger service. This feature allows the display of a message to a blocked
-sharp connecting IP address to inform the user that they are blocked in the
-sharp firewall. This can help when users get themselves blocked, e.g. due to
-sharp multiple login failures. The service is provided by two daemons running on
-sharp ports providing either an HTML or TEXT message.
-sharp
-sharp This feature does not work on servers that do not have the iptables module
-sharp ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS
-sharp server admins should check with their VPS host provider that the iptables
-sharp module is included.
-sharp
-sharp For further information on features and limitations refer to the csf
-sharp readme.txt
-sharp
-sharp Note: Run /etc/csf/csftest.pl to check whether this option will function on
-sharp this server
-sharp
-sharp 1 to enable, 0 to disable
MESSENGER = "0"

-sharp Provide this service to temporary IP address blocks
MESSENGER_TEMP = "1"

-sharp Provide this service to permanent IP address blocks
MESSENGER_PERM = "1"

-sharp User account to run the service servers under. We recommend creating a
-sharp specific non-priv, non-shell account for this purpose
MESSENGER_USER = "csf"

-sharp This is the maximum concurrent connections allowed to each service server
MESSENGER_CHILDREN = "10"

-sharp Set this to the port that will receive the HTTPS HTML message. You should
-sharp configure this port to be >1023 and different from the TEXT and HTML port. Do
-sharp NOT enable access to this port in TCP_IN. This option requires the perl
-sharp module IO::Socket::SSL at a version level that supports SNI (1.83+).
-sharp Additionally the version of openssl on the server must also support SNI
-sharp
-sharp The option uses existing SSL certificates on the server for each domain to
-sharp maintain a secure connection without browser warnings. It uses SNI to choose
-sharp the correct certificate to use for each client connection
-sharp
-sharp Warning: On some servers the amount of memory used by the HTTPS MESSENGER
-sharp service can become significant depending on various factors associated with
-sharp the use of IO::Socket::SSL including the number of domains and certificates
-sharp served
MESSENGER_HTTPS = "8887"

-sharp This comma separated list are the HTTPS HTML ports that will be redirected
-sharp for the blocked IP address. If you are using per application blocking
-sharp (LF_TRIGGER) then only the relevant block port will be redirected to the
-sharp messenger port
-sharp
-sharp Recommended setting "443" plus any end-user control panel SSL ports
MESSENGER_HTTPS_IN = ""

-sharp This option points to the file(s) containing the Apache VirtualHost SSL
-sharp definitions. This can be a file glob if there are multiple files to search.
-sharp Only Apache v2 SSL VirtualHost definitions are supported
MESSENGER_HTTPS_CONF = "/etc/httpd/conf.d/ssl.conf"

-sharp The following options can be specified to provide a default fallback
-sharp certificate to be used if either SNI is not supported or a hosted domain does
-sharp not have an SSL certificate. If a fallback is not provided, one of the certs
-sharp obtained from MESSENGER_HTTPS_CONF will be used
MESSENGER_HTTPS_KEY = "/etc/pki/tls/private/localhost.key"
MESSENGER_HTTPS_CRT = "/etc/pki/tls/certs/localhost.crt"

-sharp Set this to the port that will receive the HTML message. You should configure
-sharp this port to be >1023 and different from the TEXT port. Do NOT enable access
-sharp to this port in TCP_IN
MESSENGER_HTML = "8888"

-sharp This comma separated list are the HTML ports that will be redirected for the
-sharp blocked IP address. If you are using per application blocking (LF_TRIGGER)
-sharp then only the relevant block port will be redirected to the messenger port
MESSENGER_HTML_IN = "80,2082,2095"

-sharp Set this to the port that will receive the TEXT message. You should configure
-sharp this port to be >1023 and different from the HTML port. Do NOT enable access
-sharp to this port in TCP_IN
MESSENGER_TEXT = "8889"

-sharp This comma separated list are the TEXT ports that will be redirected for the
-sharp blocked IP address. If you are using per application blocking (LF_TRIGGER)
-sharp then only the relevant block port will be redirected to the messenger port
MESSENGER_TEXT_IN = "21"

-sharp These settings limit the rate at which connections can be made to the
-sharp messenger service servers. Its intention is to provide protection from
-sharp attacks or excessive connections to the servers. If the rate is exceeded then
-sharp iptables will revert for the duration to the normal blocking actiity
-sharp
-sharp See the iptables man page for the correct --limit rate syntax
MESSENGER_RATE = "100/s"
MESSENGER_BURST = "150"

-sharp The RECAPTCHA options provide a way for end-users that have blocked
-sharp themselves in the firewall to unblock themselves.
-sharp
-sharp A valid Google ReCAPTCHA (v2) is required for this feature from:
-sharp https://www.google.com/recaptcha/intro/index.html
-sharp
-sharp When configuring a new reCAPTCHA API key set, you must ensure that the option
-sharp for "Domain Name Validation" is unticked so that the same reCAPTCHA can be
-sharp used for all domains hosted on the server. lfd then checks that the hostname
-sharp of the request resolves to an IP on this server.
-sharp
-sharp This feature requires the installation of the LWP::UserAgent perl module (see
-sharp option URLGET for more details).
-sharp
-sharp The template used for this feature is /etc/csf/messenger/index.recaptcha.html
-sharp
-sharp Note: An unblock will fail if the end-users IP is located in a netblock,
-sharp blocklist or CC_* deny entry
RECAPTCHA_SITEKEY = ""
RECAPTCHA_SECRET = ""

-sharp Send an email when an IP address successfully attempts to unblock themselves.
-sharp This does not necessarily mean the IP was unblocked, only that the
-sharp post-recaptcha unblock request was attempted
-sharp
-sharp Set to "0" to disable
RECAPTCHA_ALERT = "1"

-sharp If the server uses NAT then resolving the hostname to hosted IPs will likely
-sharp not succeed. In that case, the external IP addresses must be listed as comma
-sharp separated comma separated list here
RECAPTCHA_NAT = ""

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:lfd Clustering
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp lfd Clustering. This allows the configuration of an lfd cluster environment
-sharp where a group of servers can share blocks and configuration option changes.
-sharp Included are CLI and UI options to send requests to the cluster.
-sharp
-sharp See the readme.txt file for more information and details on setup and
-sharp security risks.
-sharp
-sharp Comma separated list of cluster member IP addresses to send requests to
CLUSTER_SENDTO = ""

-sharp Comma separated list of cluster member IP addresses to receive requests from
CLUSTER_RECVFROM = ""

-sharp IP address of the master node in the cluster allowed to send CLUSTER_CONFIG
-sharp changes
CLUSTER_MASTER = ""

-sharp If this is a NAT server, set this to the public IP address of this server
CLUSTER_NAT = ""

-sharp If a cluster member should send requests on an IP other than the default IP,
-sharp set it here
CLUSTER_LOCALADDR = ""

-sharp Cluster communication port (must be the same on all member servers). There
-sharp is no need to open this port in the firewall as csf will automatically add
-sharp in and out bound rules to allow communication between cluster members
CLUSTER_PORT = "7777"

-sharp This is a secret key used to encrypt cluster communications using the
-sharp Blowfish algorithm. It should be between 8 and 56 characters long,
-sharp preferably > 20 random characters
-sharp 56 chars:    01234567890123456789012345678901234567890123456789012345
CLUSTER_KEY = ""

-sharp Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those
-sharp servers must have this servers IP address listed in their CLUSTER_RECVFROM
-sharp
-sharp Set to 0 to disable this feature
CLUSTER_BLOCK = "1"

-sharp This option allows the enabling and disabling of the Cluster configuration
-sharp changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the
-sharp CLUSTER_MASTER server
-sharp
-sharp Set this option to 1 to allow Cluster configurations to be received
CLUSTER_CONFIG = "0"

-sharp Maximum number of child processes to listen on. High blocking rates or large
-sharp clusters may need to increase this
CLUSTER_CHILDREN = "10"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Port Knocking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Port Knocking. This feature allows port knocking to be enabled on multiple
-sharp ports with a variable number of knocked ports and a timeout. There must be a
-sharp minimum of 3 ports to knock for an entry to be valid
-sharp
-sharp See the following for information regarding Port Knocking:
-sharp http://www.portknocking.org/
-sharp
-sharp This feature does not work on servers that do not have the iptables module
-sharp ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
-sharp server admins should check with their VPS host provider that the iptables
-sharp module is included
-sharp
-sharp For further information and syntax refer to the Port Knocking section of the
-sharp csf readme.txt
-sharp
-sharp Note: Run /etc/csf/csftest.pl to check whether this option will function on
-sharp this server
-sharp
-sharp openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...
-sharp e.g.: 22;TCP;20;100;200;300;400
PORTKNOCKING = ""

-sharp Enable PORTKNOCKING logging by iptables
PORTKNOCKING_LOG = "1"

-sharp Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must
-sharp also be enabled to use this option
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
PORTKNOCKING_ALERT = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Log Scanner
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Log Scanner. This feature will send out an email summary of the log lines of
-sharp each log listed in /etc/csf/csf.logfiles. All lines will be reported unless
-sharp they match a regular expression in /etc/csf/csf.logignore
-sharp
-sharp File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,
-sharp be aware that the more files lfd has to track, the greater the performance
-sharp hit. Note: File globs are only evaluated when lfd is started
-sharp
-sharp Note: lfd builds the report continuously from lines logged after lfd has
-sharp started, so any lines logged when lfd is not running will not be reported
-sharp (e.g. during reboot). If lfd is restarted, then the report will include any
-sharp lines logged during the previous lfd logging period that weren't reported
-sharp
-sharp 1 to enable, 0 to disable
LOGSCANNER = "0"

-sharp This is the interval each report will be sent based on the logalert.txt
-sharp template
-sharp
-sharp The interval can be set to:
-sharp "hourly" - sent on the hour
-sharp "daily"  - sent at midnight (00:00)
-sharp "manual" - sent whenever "csf --logrun" is run. This allows for scheduling
-sharp            via cron job
LOGSCANNER_INTERVAL = "hourly"

-sharp Report Style
-sharp 1 = Separate chronological log lines per log file
-sharp 2 = Simply chronological log of all lines
LOGSCANNER_STYLE = "1"

-sharp Send the report email even if no log lines reported
-sharp 1 to enable, 0 to disable
LOGSCANNER_EMPTY = "1"

-sharp Maximum number of lines in the report before it is truncated. This is to
-sharp prevent log lines flooding resulting in an excessively large report. This
-sharp might need to be increased if you choose a daily report
LOGSCANNER_LINES = "5000"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Statistics Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Statistics
-sharp
-sharp Some of the Statistics output requires the gd graphics library and the
-sharp GD::Graph perl module with all dependent modules to be installed for the UI
-sharp for them to be displayed
-sharp
-sharp This option enabled statistical data gathering
ST_ENABLE = "1"

-sharp This option determines how many iptables log lines to store for reports
ST_IPTABLES = "100"

-sharp This option indicates whether rDNS and CC lookups are performed at the time
-sharp the log line is recorded (this is not performed when viewing the reports)
-sharp
-sharp Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,
-sharp then enabling this setting could cause serious performance problems
ST_LOOKUP = "0"

-sharp This option will gather basic system statstics. Through the UI it displays
-sharp various graphs for disk, cpu, memory, network, etc usage over 4 intervals:
-sharp  . Hourly (per minute)
-sharp  . 24 hours (per minute)
-sharp  . 7 days (per minute averaged over an hour)
-sharp  . 30 days (per minute averaged over an hour) - user definable
-sharp The data is stored in /var/lib/csf/stats/system and the option requires the
-sharp perl GD::Graph module
-sharp
-sharp Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on
-sharp those systems do not store the required information in /proc/diskstats
-sharp On new installations or when enabling this option it will take time for these
-sharp graphs to be populated
ST_SYSTEM = "0"

-sharp Set the maximum days to collect statistics for. The default is 30 days, the
-sharp more data that is collected the longer it will take for each of the graphs to
-sharp be generated
ST_SYSTEM_MAXDAYS = "30"

-sharp If ST_SYSTEM is enabled, then these options can collect MySQL statistical
-sharp data. To use this option the server must have the perl modules DBI and
-sharp DBD::mysql installed.
-sharp
-sharp Set this option to "0" to disable MySQL data collection
ST_MYSQL = "0"

-sharp The following options are for authentication for MySQL data collection. If
-sharp the password is left blank and the user set to "root" then the procedure will
-sharp look for authentication data in /root/.my.cnf. Otherwise, you will need to
-sharp provide a MySQL username and password to collect the data. Any MySQL user
-sharp account can be used
ST_MYSQL_USER = "root"
ST_MYSQL_PASS = ""
ST_MYSQL_HOST = "localhost"

-sharp If ST_SYSTEM is enabled, then this option can collect Apache statistical data
-sharp The value for PT_APACHESTATUS must be correctly set
ST_APACHE = "0"

-sharp The following options measure disk write performance using dd (location set
-sharp via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and
-sharp the statistics will plot the MB/s response time of the disk. As this is an IO
-sharp intensive operation, it may not be prudent to run this test too often, so by
-sharp default it is only run every 5 minutes and the result duplicated for each
-sharp intervening minute for the statistics
-sharp
-sharp This is not necessrily a good measure of disk performance, primarily because
-sharp the measurements are for relatively small amounts of data over a small amount
-sharp of time. To properly test disk performance there are a variety of tools
-sharp available that should be run for extended periods of time to obtain an
-sharp accurate measurement. This metric is provided to give an idea of how the disk
-sharp is performing over time
-sharp
-sharp Note: There is a 15 second timeout performing the check
-sharp
-sharp Set to 0 to disable, 1 to enable
ST_DISKW = "0"

-sharp The number of minutes that elapse between tests. Default is 5, minimum is 1.
ST_DISKW_FREQ = "5"

-sharp This is the command line passed to dd. If you are familiar with dd, or wish
-sharp to move the output file (of) to a different disk, then you can alter this
-sharp command. Take great care when making any changes to this command as it is
-sharp very easy to overwrite a disk using dd if you make a mistake
ST_DISKW_DD = "if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Docker Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp NOTE: This feature is currently in BETA testing, so may not work correctly
-sharp
-sharp This section provides the configuration of iptables rules to allow Docker
-sharp containers to communicate through the host. If the generated rules do not
-sharp work with your setup you will have to use a /etc/csf/csfpost.sh file and add
-sharp your own iptables configuration instead
-sharp
-sharp 1 to enable, 0 to disable
DOCKER = "0"

-sharp The network device on the host
DOCKER_DEVICE = "docker0"

-sharp Docker container IPv4 range
DOCKER_NETWORK4 = "172.17.0.0/16"

-sharp Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table
-sharp available (see IPv6 section). Leave blank to disable
DOCKER_NETWORK6 = "2001:db8:1::/64"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:OS Specific Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Binary locations
IPTABLES = "/sbin/iptables"
IPTABLES_SAVE = "/sbin/iptables-save"
IPTABLES_RESTORE = "/sbin/iptables-restore"
IP6TABLES = "/sbin/ip6tables"
IP6TABLES_SAVE = "/sbin/ip6tables-save"
IP6TABLES_RESTORE = "/sbin/ip6tables-restore"
MODPROBE = "/sbin/modprobe"
IFCONFIG = "/sbin/ifconfig"
SENDMAIL = "/usr/sbin/sendmail"
PS = "/bin/ps"
VMSTAT = "/usr/bin/vmstat"
NETSTAT = "/bin/netstat"
LS = "/bin/ls"
MD5SUM = "/usr/bin/md5sum"
TAR = "/bin/tar"
CHATTR = "/usr/bin/chattr"
UNZIP = "/usr/bin/unzip"
GUNZIP = "/bin/gunzip"
DD = "/bin/dd"
TAIL = "/usr/bin/tail"
GREP = "/bin/grep"
ZGREP = "/usr/bin/zgrep"
IPSET = "/usr/sbin/ipset"
SYSTEMCTL = "/usr/bin/systemctl"
HOST = "/usr/bin/host"
IP = "/sbin/ip"

-sharp Log file locations
-sharp
-sharp File globbing is allowed for the following logs. However, be aware that the
-sharp more files lfd has to track, the greater the performance hit
-sharp
-sharp Note: File globs are only evaluated when lfd is started
-sharp
HTACCESS_LOG = "/var/log/httpd/error_log"
MODSEC_LOG = "/var/log/httpd/error_log"
SSHD_LOG = "/var/log/secure"
SU_LOG = "/var/log/secure"
FTPD_LOG = "/var/log/messages"
SMTPAUTH_LOG = "/var/log/secure"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"
IPTABLES_LOG = "/var/log/messages"
SUHOSIN_LOG = "/var/log/messages"
BIND_LOG = "/var/log/messages"
SYSLOG_LOG = "/var/log/messages"
WEBMIN_LOG = "/var/log/secure"

CUSTOM1_LOG = "/var/log/customlog"
CUSTOM2_LOG = "/var/log/customlog"
CUSTOM3_LOG = "/var/log/customlog"
CUSTOM4_LOG = "/var/log/customlog"
CUSTOM5_LOG = "/var/log/customlog"
CUSTOM6_LOG = "/var/log/customlog"
CUSTOM7_LOG = "/var/log/customlog"
CUSTOM8_LOG = "/var/log/customlog"
CUSTOM9_LOG = "/var/log/customlog"

-sharp The following are comma separated lists used if LF_SELECT is enabled,
-sharp otherwise they are not used. They are derived from the application returned
-sharp from a regex match in /usr/local/csf/bin/regex.pm
-sharp
-sharp All ports default to tcp blocks. To specify udp or tcp use the format:
-sharp port;protocol,port;protocol,... For example, "53;udp,53;tcp"
PORTS_pop3d = "110,995"
PORTS_imapd = "143,993"
PORTS_htpasswd = "80,443"
PORTS_mod_security = "80,443"
PORTS_mod_qos = "80,443"
PORTS_symlink = "80,443"
PORTS_suhosin = "80,443"
PORTS_cxs = "80,443"
PORTS_bind = "53;udp,53;tcp"
PORTS_ftpd = "20,21"
PORTS_webmin = "10000"
PORTS_smtpauth = "25,465,587"
PORTS_eximsyntax = "25,465,587"
-sharp This list is replaced, if present, by "Port" definitions in
-sharp /etc/ssh/sshd_config
PORTS_sshd = "22"

-sharp This configuration is for use with generic Linux servers, do not change the
-sharp following setting:
GENERIC = "1"

-sharp For internal use only. You should not enable this option as it could cause
-sharp instability in csf and lfd
DEBUG = "0"
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp

add the remaining configuration files

  • Centos7 Firewall startup failed

    < H2 > failed to start firewalld in centos7 < H2 > I don t know if there is something wrong with the setting, resulting in the use of the command 2018-04-03 14:36:13 WARNING: ICMP type beyond-scope is not supported by the kernel for ipv6. 2018-0...

    Feb.28,2021
MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1e53d78-45282.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1e53d78-45282.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?