剩下的csf.conf配置部分
CONNLIMIT = ""
# Port Flood Protection. This option configures iptables to offer protection
# from DOS attacks against specific ports. This option limits the number of
# new connections per time interval that can be made to specific ports
#
# This feature does not work on servers that do not have the iptables module
# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
# server admins should check with their VPS host provider that the iptables
# module is included
#
# For further information and syntax refer to the Port Flood Protection
# section of the csf readme.txt
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
PORTFLOOD = "22;tcp;5;300,80;tcp;500;5"
# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
# These typically originate from exploit scripts uploaded through vulnerable
# web scripts. Care should be taken on servers that use services that utilise
# high levels of UDP outbound traffic, such as SNMP, so you may need to alter
# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
#
# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
UDPFLOOD = "0"
UDPFLOOD_LIMIT = "100/s"
UDPFLOOD_BURST = "500"
# This is a list of usernames that should not be rate limited, such as "named"
# to prevent bind traffic from being limited.
#
# Note: root (UID:0) is always allowed
UDPFLOOD_ALLOWUSER = "named"
###############################################################################
# SECTION:Logging Settings
###############################################################################
# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
# perl module Sys::Syslog installed to use this feature
SYSLOG = "0"
# Drop target for incoming iptables rules. This can be set to either DROP or
# REJECT. REJECT will send back an error packet, DROP will not respond at all.
# REJECT is more polite, however it does provide extra information to a hacker
# and lets them know that a firewall is blocking their attempts. DROP hangs
# their connection, thereby frustrating attempts to port scan the server
DROP = "DROP"
# Drop target for outgoing iptables rules. This can be set to either DROP or
# REJECT as with DROP, however as such connections are from this server it is
# better to REJECT connections to closed ports rather than to DROP them. This
# helps to immediately free up server resources rather than tying them up until
# a connection times out. It also tells the process making the connection that
# it has immediately failed
#
# It is possible that some monolithic kernels may not support the REJECT
# target. If this is the case, csf checks before using REJECT and falls back to
# using DROP, issuing a warning to set this to DROP instead
DROP_OUT = "REJECT"
# Enable logging of dropped connections to blocked ports to syslog, usually
# /var/log/messages. This option needs to be enabled to use Port Scan Tracking
DROP_LOGGING = "1"
# Enable logging of dropped incoming connections from blocked IP addresses
#
# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
DROP_IP_LOGGING = "0"
# Enable logging of dropped outgoing connections
#
# Note: Only outgoing SYN packets for TCP connections are logged, other
# protocols log all packets
#
# We recommend that you enable this option
DROP_OUT_LOGGING = "1"
# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting
# out (where available) which can help track abuse
DROP_UID_LOGGING = "1"
# Only log incoming reserved port dropped connections (0:1023). This can reduce
# the amount of log noise from dropped connections, but will affect options
# such as Port Scan Tracking (PS_INTERVAL)
DROP_ONLYRES = "0"
# Commonly blocked ports that you do not want logging as they tend to just fill
# up the log file. These ports are specifically blocked (applied to TCP and UDP
# protocols) for incoming connections
DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"
# Log packets dropped by the packet filtering option PACKET_FILTER
DROP_PF_LOGGING = "0"
# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
# addresses breaking the Connection Limit Protection will be blocked
CONNLIMIT_LOGGING = "0"
# Enable logging of UDP floods. This should be enabled, especially with User ID
# Tracking enabled
UDPFLOOD_LOGGING = "1"
# Send an alert if log file flooding is detected which causes lfd to skip log
# lines to prevent lfd from looping. If this alert is sent you should check the
# reported log file for the reason for the flooding
LOGFLOOD_ALERT = "0"
###############################################################################
# SECTION:Reporting Settings
###############################################################################
# By default, lfd will send alert emails using the relevant alert template to
# the To: address configured within that template. Setting the following
# option will override the configured To: field in all lfd alert emails
#
# Leave this option empty to use the To: field setting in each alert template
LF_ALERT_TO = ""
# By default, lfd will send alert emails using the relevant alert template from
# the From: address configured within that template. Setting the following
# option will override the configured From: field in all lfd alert emails
#
# Leave this option empty to use the From: field setting in each alert template
LF_ALERT_FROM = ""
# By default, lfd will send all alerts using the SENDMAIL binary. To send using
# SMTP directly, you can set the following to a relaying SMTP server, e.g.
# "127.0.0.1". Leave this setting blank to use SENDMAIL
LF_ALERT_SMTP = ""
# Block Reporting. lfd can run an external script when it performs and IP
# address block following for example a login failure. The following setting
# is to the full path of the external script which must be executable. See
# readme.txt for format details
#
# Leave this setting blank to disable
BLOCK_REPORT = ""
# To also run an external script when a temporary block is unblocked. The
# following setting can be the full path of the external script which must be
# executable. See readme.txt for format details
#
# Leave this setting blank to disable
UNBLOCK_REPORT = ""
# In addition to the standard lfd email alerts, you can additionally enable the
# sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only
# block alert messages will be sent. The reports use our schema at:
# https://download.configserver.com/abuse_login-attack_0.2.json
#
# These reports are in a format accepted by many Netblock owners and should
# help them investigate abuse. This option is not designed to automatically
# forward these reports to the Netblock owners and should be checked for
# false-positive blocks before reporting
#
# If available, the report will also include the abuse contact for the IP from
# the Abusix Contact DB: https://abusix.com/contactdb.html
#
# Note: The following block types are not reported through this feature:
# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
X_ARF = "0"
# By default, lfd will send emails from the root forwarder. Setting the
# following option will override this
X_ARF_FROM = ""
# By default, lfd will send emails to the root forwarder. Setting the following
# option will override this
X_ARF_TO = ""
# If you want to automatically send reports to the abuse contact where found,
# you can enable the following option
#
# Note: You MUST set X_ARF_FROM to a valid email address for this option to
# work. This is so that the abuse contact can reply to the report
#
# However, you should be aware that without manual checking you could be
# reporting innocent IP addresses, including your own clients, yourself and
# your own servers
#
# Additionally, just because a contact address is found, does not mean that
# there is anyone on the end of it reading, processing or acting on such
# reports and you could conceivably reported for sending spam
#
# We do not recommend enabling this option. Abuse reports should be checked and
# verified before being forwarded to the abuse contact
X_ARF_ABUSE = "0"
###############################################################################
# SECTION:Temp to Perm/Netblock Settings
###############################################################################
# Temporary to Permanent IP blocking. The following enables this feature to
# permanently block IP addresses that have been temporarily blocked more than
# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
# LF_PERMBLOCK to "1" to enable this feature
#
# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
# (TTL) for blocked IPs, to be effective
#
# Set LF_PERMBLOCK to "0" to disable this feature
LF_PERMBLOCK = "1"
LF_PERMBLOCK_INTERVAL = "86400"
LF_PERMBLOCK_COUNT = "4"
LF_PERMBLOCK_ALERT = "1"
# Permanently block IPs by network class. The following enables this feature
# to permanently block classes of IP address where individual IP addresses
# within the same class LF_NETBLOCK_CLASS have already been blocked more than
# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
# LF_NETBLOCK to "1" to enable this feature
#
# This can be an affective way of blocking DDOS attacks launched from within
# the same network class
#
# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
# consideration is required when blocking network classes A or B
#
# Set LF_NETBLOCK to "0" to disable this feature
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
LF_NETBLOCK_ALERT = "1"
# Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24"
# Great care should be taken with IPV6 netblock ranges due to the large number
# of addresses involved
#
# To disable IPv6 netblocks set to ""
LF_NETBLOCK_IPV6 = ""
###############################################################################
# SECTION:Global Lists/DYNDNS/Blocklists
###############################################################################
# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
# chain, then flush and delete the old dynamic chain and rename the new chain.
#
# This prevents a small window of opportunity opening when an update occurs and
# the dynamic chain is flushed for the new rules.
#
# This option should not be enabled on servers with long dynamic chains (e.g.
# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
# Virtuozzo VPS servers with a restricted numiptent value. This is because each
# chain will effectively be duplicated while the update occurs, doubling the
# number of iptables rules
SAFECHAINUPDATE = "0"
# If you wish to allow access from dynamic DNS records (for example if your IP
# address changes whenever you connect to the internet but you have a dedicated
# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
# records in csf.dyndns and then set the following to the number of seconds to
# poll for a change in the IP address. If the IP address has changed iptables
# will be updated.
#
# If the FQDN has multiple A records then all of the IP addresses will be
# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
# also be allowed.
#
# A setting of 600 would check for IP updates every 10 minutes. Set the value
# to 0 to disable the feature
DYNDNS = "0"
# To always ignore DYNDNS IP addresses in lfd blocking, set the following
# option to 1
DYNDNS_IGNORE = "0"
# The follow Global options allow you to specify a URL where csf can grab a
# centralised copy of an IP allow or deny block list of your own. You need to
# specify the full URL in the following options, i.e.:
# http://www.somelocation.com/allow.txt
#
# The actual retrieval of these IP's is controlled by lfd, so you need to set
# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
# will perform the retrieval when it runs and then again at the specified
# interval. A sensible interval would probably be every 3600 seconds (1 hour).
# A minimum value of 300 is enforced for LF_GLOBAL if enabled
#
# You do not have to specify both an allow and a deny file
#
# You can also configure a global ignore file for IP's that lfd should ignore
LF_GLOBAL = "0"
GLOBAL_ALLOW = ""
GLOBAL_DENY = ""
GLOBAL_IGNORE = ""
# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
# this to the URL of the file containing DYNDNS entries
GLOBAL_DYNDNS = ""
# Set the following to the number of seconds to poll for a change in the IP
# address resoved from GLOBAL_DYNDNS
GLOBAL_DYNDNS_INTERVAL = "600"
# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
# option to 1
GLOBAL_DYNDNS_IGNORE = "0"
# Blocklists are controlled by modifying /etc/csf/csf.blocklists
#
# If you don't want BOGON rules applied to specific NICs, then list them in
# a comma separated list (e.g "eth1,eth2")
LF_BOGON_SKIP = ""
# The following option can be used to select either HTTP::Tiny or
# LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than
# LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may
# have to be installed manually, but it can better support https:// URL's
# which also needs the LWP::Protocol::https perl module
#
# For example:
#
# On rpm based systems:
#
# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
#
# On APT based systems:
#
# apt-get install libwww-perl liblwp-protocol-https-perl
#
# Via cpan:
#
# perl -MCPAN -eshell
# cpan> install LWP LWP::Protocol::https
#
# We recommend setting this set to "2" as upgrades to csf will be performed
# over SSL to https://download.configserver.com
#
# "1" = HTTP::Tiny
# "2" = LWP::UserAgent
URLGET = "2"
###############################################################################
# SECTION:Country Code Lists and Settings
###############################################################################
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# MaxMind GeoLite2 Country database at:
# https://dev.MaxMind.com/geoip/geoip2/geolite2/
# This feature relies entirely on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
#
# Additionally, ASN numbers can also be added to the comma separated lists
# below that also list Country Codes. The same WARNINGS for Country Codes apply
# to the use of ASNs. More about Autonomous System Numbers (ASN):
# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
#
# You should consider using LF_IPSET when using any of the following options
#
# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# WARNING: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# WARNING: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
# preferred
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""
# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER = ""
# This option allows access from the following countries to specific ports
# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
#
# Note: The rules for this feature are inserted after the allow and deny
# rules to still allow blocking of IP addresses
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_ALLOW_PORTS = ""
# All listed ports should be removed from TCP_IN/UDP_IN to block access from
# elsewhere. This option uses the same format as TCP_IN/UDP_IN
#
# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
# then only counties listed in CC_ALLOW_PORTS can access FTP
CC_ALLOW_PORTS_TCP = ""
CC_ALLOW_PORTS_UDP = ""
# This option denies access from the following countries to specific ports
# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
#
# Note: The rules for this feature are inserted after the allow and deny
# rules to still allow allowing of IP addresses
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY_PORTS = ""
# This option uses the same format as TCP_IN/UDP_IN. The ports listed should
# NOT be removed from TCP_IN/UDP_IN
#
# An example would be to list port 21 here then counties listed in
# CC_DENY_PORTS cannot access FTP
CC_DENY_PORTS_TCP = ""
CC_DENY_PORTS_UDP = ""
# This Country Code list will prevent lfd from blocking IP address hits for the
# listed CC's
#
# CC_LOOKUPS must be enabled to use this option
CC_IGNORE = ""
# This Country Code list will only allow SMTP AUTH to be advertised to the
# listed countries in EXIM. This is to help limit attempts at distributed
# attacks against SMTP AUTH which are difficult to achive since port 25 needs
# to be open to relay email
#
# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
# connection, then SMTP AUTH will not accept logins, defeating the attacks
# without restricting mail relaying
#
# This option can generate a very large list of IP addresses that could easily
# severely impact on SMTP (mail) performance, so care must be taken when
# selecting countries and if performance issues ensue
#
# The option SMTPAUTH_RESTRICT must be enabled to use this option
CC_ALLOW_SMTPAUTH = ""
# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
# help reduce the number of CC entries and may improve iptables throughput.
# Obviously, this will deny/allow fewer IP addresses depending on how small you
# configure the option
#
# For example, to ignore all CIDR (and single IP) entries small than a /16, set
# this option to "16". Set to "" to block all CC IP addresses
CC_DROP_CIDR = ""
# Display Country Code and Country for reported IP addresses. This option can
# be configured to use the MaxMind Country Database or the more detailed (and
# much larger and therefore slower) MaxMind City Database. An additional option
# is also available if you cannot use the MaxMind databases
#
# "0" - disable
# "1" - Reports: Country Code and Country
# "2" - Reports: Country Code and Country and Region and City
# "3" - Reports: Country Code and Country and Region and City and ASN
# "4" - Reports: Country Code and Country and Region and City (freegeoip.net)
#
# Note: "4" does not use the MaxMind databases directly for lookups. Instead it
# uses a URL-based lookup from a third-party provider at https://freegeoip.net
# and so avoids having to download and process the large databases. Please
# visit the https://freegeoip.net and read their limitations and respect that
# this option will either cease to function or be removed by us if that site is
# abused or overloaded. ONLY use this option if you have difficulties using the
# MaxMind databases. This option is ONLY for IP lookups, NOT when using the
# CC_* options above, which will continue to use the MaxMind databases
#
CC_LOOKUPS = "1"
# Display Country Code and Country for reported IPv6 addresses using the
# MaxMind Country IPv6 Database
#
# "0" - disable
# "1" - enable and report the detail level as specified in CC_LOOKUPS
#
# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and
# PORTFLOOD
CC6_LOOKUPS = "0"
# This option tells lfd how often to retrieve the MaxMind GeoLite2 Country
# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
# days)
CC_INTERVAL = "14"
###############################################################################
# SECTION:Login Failure Blocking and Alerts
###############################################################################
# The following[*] triggers are application specific. If you set LF_TRIGGER to
# "0" the value of each trigger is the number of failures against that
# application that will trigger lfd to block the IP address
#
# If you set LF_TRIGGER to a value greater than "0" then the following[*]
# application triggers are simply on or off ("0" or "1") and the value of
# LF_TRIGGER is the total cumulative number of failures that will trigger lfd
# to block the IP address
#
# Setting the application trigger to "0" disables it
LF_TRIGGER = "0"
# If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
# "1" and the IP address will be blocked temporarily for that value in seconds.
# For example:
# LF_TRIGGER_PERM = "1" => the IP is blocked permanently
# LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
#
# If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
# in the same way as above and LF_TRIGGER_PERM serves no function
LF_TRIGGER_PERM = "1"
# To only block access to the failed application instead of a complete block
# for an ip address, you can set the following to "1", but LF_TRIGGER must be
# set to "0" with specific application[*] trigger levels also set appropriately
#
# The ports that are blocked can be configured by changing the PORTS_* options
LF_SELECT = "0"
# Send an email alert if an IP address is blocked by one of the [*] triggers
LF_EMAIL_ALERT = "1"
# [*]Enable login failure detection of sshd connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SSHD = "5"
LF_SSHD_PERM = "1"
# [*]Enable login failure detection of ftp connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_FTPD = "10"
LF_FTPD_PERM = "1"
# [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"
# [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"
# [*]Enable login failure detection of pop3 connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = "0"
LF_POP3D_PERM = "1"
# [*]Enable login failure detection of imap connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = "0"
LF_IMAPD_PERM = "1"
# [*]Enable login failure detection of Apache .htpasswd connections
# Due to the often high logging rate in the Apache error log, you might want to
# enable this option only if you know you are suffering from attacks against
# password protected directories
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"
# [*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"
# [*]Enable detection of repeated BIND denied requests
# This option should be enabled with care as it will prevent blocked IPs from
# resolving any domains on the server. You might want to set the trigger value
# reasonably high to avoid this
# Example: LF_BIND = "100"
LF_BIND = "0"
LF_BIND_PERM = "1"
# [*]Enable detection of repeated suhosin ALERTs
# Example: LF_SUHOSIN = "5"
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SUHOSIN = "0"
LF_SUHOSIN_PERM = "1"
# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
# This option will block IP addresses if cxs detects a hits from the
# ModSecurity rule associated with it
#
# Note: This option takes precedence over LF_MODSEC and removes any hits
# counted towards LF_MODSEC for the cxs rule
#
# This setting should probably set very low, perhaps to 1, if you want to
# effectively block IP addresses for this trigger option
LF_CXS = "0"
LF_CXS_PERM = "1"
# [*]Enable detection of repeated Apache mod_qos rule triggers
LF_QOS = "0"
LF_QOS_PERM = "1"
# [*]Enable detection of repeated Apache symlink race condition triggers from
# the Apache patch provided by:
# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
# This patch has also been included by cPanel via the easyapache option:
# "Symlink Race Condition Protection"
LF_SYMLINK = "0"
LF_SYMLINK_PERM = "1"
# [*]Enable login failure detection of webmin connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN = "0"
LF_WEBMIN_PERM = "1"
# Send an email alert if anyone logs in successfully using SSH
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SSH_EMAIL_ALERT = "1"
# Send an email alert if anyone uses su to access another account. This will
# send an email alert whether the attempt to use su was successful or not
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SU_EMAIL_ALERT = "1"
# Send an email alert if anyone accesses webmin
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN_EMAIL_ALERT = "1"
# Send an email alert if anyone logs in successfully to root on the console
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_CONSOLE_EMAIL_ALERT = "1"
# This option will keep track of the number of "File does not exist" errors in
# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
# seconds then the IP address will be blocked
#
# Care should be used with this option as it could generate many
# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
# so only use this option if you know you are under this type of attack
#
# A sensible setting for this would be quite high, perhaps 200
#
# To disable set to "0"
LF_APACHE_404 = "0"
# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_APACHE_404_PERM = "3600"
# This option will keep track of the number of "client denied by server
# configuration" errors in HTACCESS_LOG. If the number of hits is more than
# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
#
# Care should be used with this option as it could generate many
# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
# so only use this option if you know you are under this type of attack
#
# A sensible setting for this would be quite high, perhaps 200
#
# To disable set to "0"
LF_APACHE_403 = "0"
# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_APACHE_403_PERM = "3600"
# This option will keep track of the number of 401 failures in HTACCESS_LOG.
# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then
# the IP address will be blocked
#
# To disable set to "0"
LF_APACHE_401 = "0"
# This option is used to determine if the Apache error_log format contains the
# client port after the client IP. In Apache prior to v2.4, this was not the
# case. In Apache v2.4+ the error_log format can be configured using
# ErrorLogFormat, making the port directive optional
#
# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next
# to the client IP by default. This makes determining client IPv6 addresses
# difficult unless we know whether the port is being appended or not
#
# lfd will attempt to autodetect the correct value if this option is set to "0"
# from the httpd binary found in common locations. If it fails to find a binary
# it will be set to "2", unless specified here
#
# The value can be set here explicitly if the autodetection does not work:
# 0 - autodetect
# 1 - no port directive after client IP
# 2 - port directive after client IP
LF_APACHE_ERRPORT = "0"
# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_APACHE_401_PERM = "3600"
# This option will send an alert if the ModSecurity IP persistent storage grows
# excessively large: https://goo.gl/rGh5sF
#
# More information on cPanel servers here: https://goo.gl/vo6xTE
#
# LF_MODSECIPDB_FILE must be set to the correct location of the database file
#
# The check is performed at lfd startup and then once per hour, the template
# used is modsecipdbalert.txt
#
# Set to "0" to disable this option, otherwise it is the threshold size of the
# file to report in gigabytes, e.g. set to 5 for 5GB
LF_MODSECIPDB_ALERT = "0"
# This is the location of the persistent IP storage file on the server, e.g.:
# /var/run/modsecurity/data/ip.pag
# /var/cpanel/secdatadir/ip.pag
# /var/cache/modsecurity/ip.pag
# /usr/local/apache/conf/modsec/data/msa/ip.pag
# /var/tmp/ip.pag
# /tmp/ip.pag
LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"
# System Exploit Checking. This option is designed to perform a series of tests
# to send an alert in case a possible server compromise is detected
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 300 would seem sensible).
#
# To disable set to "0"
LF_EXPLOIT = "300"
# This comma separated list allows you to ignore tests LF_EXPLOIT performs
#
# For the SUPERUSER check, you can list usernames in csf.suignore to have them
# ignored for that test
#
# Valid tests are:
# SUPERUSER,SSHDSPAM
#
# If you want to ignore a test add it to this as a comma separated list, e.g.
# "SUPERUSER,SSHDSPAM"
LF_EXPLOIT_IGNORE = ""
# Set the time interval to track login and other LF_ failures within (seconds),
# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
LF_INTERVAL = "3600"
# This is how long the lfd process sleeps (in seconds) before processing the
# log file entries and checking whether other events need to be triggered
LF_PARSE = "5"
# This is the interval that is used to flush reports of usernames, files and
# pids so that persistent problems continue to be reported, in seconds.
# A value of 3600 seems sensible
LF_FLUSH = "3600"
# Under some circumstances iptables can fail to include a rule instruction,
# especially if more than one request is made concurrently. In this event, a
# permanent block entry may exist in csf.deny, but not in iptables.
#
# This option instructs csf to deny an already blocked IP address the number
# of times set. The downside, is that there will be multiple entries for an IP
# address in csf.deny and possibly multiple rules for the same IP address in
# iptables. This needs to be taken into consideration when unblocking such IP
# addresses.
#
# Set to "0" to disable this feature. Do not set this too high for the reasons
# detailed above (e.g. "5" should be more than enough)
LF_REPEATBLOCK = "0"
# By default csf will create both an inbound and outbound blocks from/to an IP
# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
# effective way to block IP traffic. This option instructs csf to only block
# inbound traffic from those IP's and so reduces the number of iptables rules,
# but at the expense of less effectiveness. For this reason we recommend
# leaving this option disabled
#
# Set to "0" to disable this feature - the default
LF_BLOCKINONLY = "0"
###############################################################################
# SECTION:Clo
