Initial Settings
-------
--
Connfigure ConfigServer Firewall
You should check for open ports that you use on your server by using netstat in the SSH terminal
netstat -plnt
You will see output like this, note the ports and make sure you add the ports listening on local address 0.0.0.0 in the IPv4 port settings
Anything listening on 127.0.0.1 is not necessary to allow in the firewall.
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1935/perl tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 22748/varnishd tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 22040/nginx -g daem tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7099/sshd tcp 0 0 0.0.0.0:8090 0.0.0.0:* LISTEN 22040/nginx -g daem tcp 0 0 127.0.0.1:6082 0.0.0.0:* LISTEN 22748/varnishd tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 10006/redis-server tcp6 0 0 :::80 :::* LISTEN 22748/varnishd tcp6 0 0 :::22 :::* LISTEN 7099/sshd
Initial Settings
To get started with securing your VPS or dedicated server with ConfigServer Firewall, go to the csf – ConfigServer Firewall section in the Webmin Module
Click Firewall Configuration to set all of these options
The firewall is only enabled when TESTING is set to 0, it is safe to do so since you whitelisted your IP address above using WhatIsMyIPAddress and/or Dynamic DNS
RESTRICT_SYSLOG = 0
Under Initial Settings make these changes
RESTRICT_SYSLOG = 3
Under IPv4 Port Settings
Choose TCP ports, the defaults will handle most systems but do include any additional ports from the netstat output. Remember to add port 10000 for Webmin and a custom SSH port (I’ve used 69) which you will configure later.
TCP_IN 20,21,22,25,53,80,110,143,443,465,587,993,995,69,8080,10000 TCP_OUT 20,21,22,25,53,80,110,113,443,587,993,995
Make UDP blank, generally you do not need UDP for anything on a web server unless it is streaming video or music.
UDP_IN UDP_OUT
Under IPv6 Port Settings make them match the IPv4 Port settings
TCP_IN 20,21,22,25,53,80,110,143,443,465,587,993,995,69,8080,10000 TCP_OUT 20,21,22,25,53,80,110,113,443,587,993,995
Same for UDP
UDP_IN UDP_OUT
Under General Settings
Necessary to log failed attempts, makes sure syslog service is running
SYSLOG_CHECK = 3600
SMTP Settings
Under SMTP Settings you need to know if you allow external users from remote IPs to send emails, if you only send emails using your local user set these options to block all other users except root and mailman. If you want to allow other non-local users leave SMTP_BLOCK=0 like if you are using Google’s servers as an SMTP relay to send your emails.
SMTP_BLOCK = 1 SMTP_ALLOWLOCAL = 1
To allow extra SMTP users set them in SMTP_ALLOWUSER and GROUP
SMTP_ALLOWUSER = webmaster,postmaster SMTP_ALLOWGROUP = mail
Reporting Settings
Under Reporting Settings leave the LF_ALERT_TO and LF_ALERT_FROM if you have postfix configured to autoforward to you regular email address.
Do set X_ARF to get detailed reports of intrusion alerts.
X_ARF = 1
Global Lists/DYNDNS/Blocklists
Under Global Lists/DYNDNS/Blocklists you can set custom IP lists to ignore including dynamic DNS addresses. If you set your dynamic DNS address to be ignored set these options to check the IP of the dynamic DNS address every 10 minutes and ignore the IP in the firewall rules.
DYDNS = 600 DYNDNS_IGNORE = 1
Under Country Codes Lists and Settings you can set custom countries to block. If you want to block Russia and China these country codes can be added to CC_DENY.
CC_DENY = RU,CN
Login Failure Blocking and Alerts
Under Login Failure Blocking and Alerts you can block users attempting to brute force your services like SSH, FTP, SMTP and others. The PERM setting set to 1 makes the ban permanent.
For the Login Failure daemon to permanently block failed IPs set LF_TRIGGER_PERM to 1 so it blocks that IP for all login failures which you enable in the LF_ settings that follow.
LF_TRIGGER_PERM = 1
If you are concerned about locking yourself or other friendly users out then set the LF TRIGGER to a value like 60 so that the IP is unlocked after 1 minute
LF_TRIGGER_PERM = 60
Set this option to only block users on the port they are attacking. This prevents innocent users whose machines are compromised from getting access to your services.
LF_SELECT = 1
The rest of the options are set to block the users on the specific port after a number of failed connections. You can decrease the limit for SSH from 5 to 3 like this
LF_SSHD = 3
Same goes for FTP and SMTP
LF_FTPD = 3 LF_SMTPAUTH = 3
Block Webmin failed attempts
LF_WEBMIN = 3
You can also block users requesting 404 or 403 pages from Apache – beware this can cause false positives from bots you want to crawl your site.
LF_APACHE_404 = 200 LF_APACHE_403 = 200
Under Distributed Attacks you can prevent botnets from making multiple failed attempts from different IP addresses, here the minimum amount of unique IP addresses allowed to login with the same credentials is 2
LF_DISTATTACK = 1 LF_DISTATTACK_UNIQ = 2
You should do the same with FTP, be careful with the unique IP setting if multiple users share the same account – here it is set to 3 IPs to share the same account. Make them permanent too.
LF_DISFTP = 1 LF_DISTFTP_UNIQ = 3 LF_DISTFTP_PERM = 1
Repeate the same for SMTP, again if multiple users share the same account take care with the UNIQ setting – again 3 IPs share this account.
LF_DISTSMTP = 1 LF_DISTSMTP_UNIQ = 3 LF_DISTSMTP_PERM = 1
Process Tracking
Under Process Tracking you can check rogue processes. It is usually easier to disable it by setting PT_LIMIT to disable process tracking as the amount of emails can be quite annoying. However, if you do want to use it then leave PT_LIMIT’s default value and add processes to ignore as shown for /opt/csf/pignore.
PT_LIMIT = 0
To disable any SSH attacks disconnect users who leave sessions open
PT_SSHDHUNG = 1
Note: from this point onwards no configuration is done in Webmin and is done in your SSH session.
Alternatively you can add the services to exclude from process tracking in /opt/csf/csf.pignore to stop the excessive and annoying Process Tracking Emails, this is done in SSH
nano /opt/csf/pignore
Add the services you wish to ignore there
exe:/usr/bin/dbus-daemon exe:/usr/sbin/mysqld exe:/usr/bin/nginx exe:/usr/lib/postfix/smtp exe:/usr/lib/dovecot/auth
Additional ConfigServer Firewall Setup
Use CSF Blocklists from dshield and spamhaus
sudo nano /etc/csf/csf.blocklists
Uncomment these lines by removing the hashtag # symbol, Spamhaus and Dshield block lists in CSF should not result in any false positives.
DSHIELD|86400|0|http://www.dshield.org/block.txt SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.lasso
Restart CSF
csf -r
Allowing the CloudFlare IPs should not be necessary! I use Flexible and strict SSL with CloudFlare and have not needed to do this but they do recommend it. If for some reason you need to allow the CloudFlare IPs on CSF go back in Webmin and click Firewall Allow IPs and paste this list and click Change
You can also consider adding this list to /etc/csf/csf.ignore
199.27.128.0/21; 199.27.128.0/21 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/12 172.64.0.0/13
If you set the CloudFlare allow IPs, click Return
Secure SSH for CSF
Open the SSH configuration
sudo nano /etc/ssh/sshd_config
Change the port and add UseDNS no so log files for SSH failed logins show the IP and not the domain name.
You must remember to add the port you choose here in TCP_IN for IPv4
# What ports, IPs and protocols we listen for Port 69UseDNS no
Restart SSH daemon
sudo service ssh restart
Secure MySQL
There is security risk
sudo nano /etc/mysql/my.cnf
Under [mysqld] add this
[mysqld] # # * Basic Settings # local-infile = 0 user = mysql
Restart MySQL
sudo service mysql restart
Monitor Critical System Files for Changes
ConfigServer lfd lets you monitor critical system files for changes by checking md5 sums periodically and will alert you of changes. This provides a basic Intrustion Detection System alternative to Snort, Tripwire and others.
Add the files you want to monitor here
sudo nano /etc/csf/csf.dirwatch
I have used root authorized keys and some other important files which would indicate a security breach.
CSF lfd ignores files owned by root by default but if you specify them here they will be monitored by ldf
/root/.ssh/authorized_keys /etc/ssh/sshd_config /etc/shadow
In the ConfigServer Webmin module find this setting under Directory Watching & Integrity and set it to 600 (every 10 minutes)
LF_DIRWATCH_FILE=600
Restart the CSF service in Webmin or SSH
lfd will check files ever 10 minutes for changes and send you an email alert
Time: Sat Dec 5 23:20:13 2015 +0000 File: /root/.ssh/authorized_keys has changed Output: -rw------- 1 root root 404 2015-12-05 23:19:32.727340313 +0000 /root/.ssh/authorized_keys
These CSF settings should keep you pretty safe from attacks and intrusions, my VPS is actually using less resources since activating this ConfigServer Firewall configuration
###################################################################################################
Downloading and Installing CSF LFD in Plesk Panel, CentOS, RedHat, CloudLinux using SSH
Must be logged in as ROOT:
su – root
cd /root
Download and installation of CSF LFD:
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Which ports do I need open for Plesk Panel
Once you run the install script it will tell you the current TCP and UDP listening ports for incoming connections. This will not give you all the ports you need open, nor will it tell you which ports you need closed. but gives you a good starting point.
Note: your settings might be different, if you have no idea just copy the current ports listed when you installed csf lfd config server or just contact us and we’ll be happy to help you for free.
Here’s two links to the Ports used by Plesk Panel, Remember to enable only the ports in csf.conf that need access to outside world and ports that you want to keep local keep closed to outside world. Also make sure to not allow access to MySQL to outside world which is port 3306 and any other ports you don’t want to allow access to like port 8880 which is unencrypted Plesk login page, etc.
https://support.plesk.com/hc/en-us/articles/213932745
You will need to reference the ports in the links above with what ports you would like open. I list the correct ports you should use in this tutorial.
Make sure iptables has the correct modules:
perl /etc/csf/csftest.pl
Change to csf installed directory:
cd /etc/csf
Firewall and Login Intrusion Detection
Now edit csf main config file. the creators of configserver did an excellent job explaining what all the options do. So read your configuration and adjust to your liking, depending on how much you want to lock down your system. If you’re a web hosting business make sure to look at the perspective from your hosting customers point of view.
nano /etc/csf/csf.conf
Tip: when done editing your file type CTRL+X and than Y to save changes.
lfd will not start while testing is enabled
TESTING =
TESTING_INTERVAL = Default: 5 [1-60]
# You should check for new version announcements at http://blog.configserver.com
AUTO_UPDATES = Default: 1 [0-1]
########################################################
# SECTION:IPv4 Port Settings
#################################
# Lists of ports in the following comma separated lists
Lookup your Plesk Panel Version for Ports to Open and if your Server uses other ervices Open Ports for Which ones you want to Allow Access to the Outside World
# (30000:35000). Use If Your FTP Server Is Using Passive Mode
# Allow incoming TCP port
TCP_IN = “20,21,22,25,43,53,80,110,143,443,465,587,953,990,993,995,6308,7080,7081,8880,8443,8447,9080”
# If you do not want to allow external access to MySQL or PostgreSQL. I would block it as #people logging into plesk panel 12 will still be able to install applications and access the #database using phpmyadmin or phpPGadmin. block incoming PostgrelSQL: 5432 and #MYSQL: 3306 If you need to allow remote access enable for IP addresses only
# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,37,43,53,80,106,110,113,143,443,465,587,953,990,993,995,5224,6308,7080,7081,8443,8447,9080”
# Allow incoming UDP ports
UDP_IN = “20,21,43,443,53,953”
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “20,21,43,53,113,123,443,873,953,,6277,9050,33434:33523”
# Allow incoming PING
ICMP_IN_RATE = 0
0 will block incoming Ping Requests
# Allow outgoing PING
ICMP_OUT = 1
# Set the per IP address outgoing ICMP packet rate (hits per second allowed), Allows Remote #Pings
# By default, csf will auto-configure iptables to filter all traffic except on
# the loopback device. If you only want iptables rules applied to a specific
NIC, then list it here (e.g. eth1, or eth+)
ETH_DEVICE = eth+
# ETH+ = Enable on all Nics
# By adding a device to this option, ip6tables can be configured only on the
# specified device. Otherwise, ETH_DEVICE and then the default setting
If you want to skip maybe your local intranet than an example would be eth2, eth+ means all networking devices will be protected.
ETH_DEVICE_SKIP =
# Recommend Not Skipping Any Network Devices
# To switch from the deprecated iptables “state” module to the “conntrack”
# module, change this to 1
USE_CONNTRACK = “1”
# Limit the number of IP’s kept in the /etc/csf/csf.deny file
#
# Care should be taken when increasing this value on servers with low memory
# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
# thousands) can sometimes cause network slowdown
#
# The value set here is the maximum number of IPs/CIDRs allowed
# if the limit is reached, the entries will be rotated so that the oldest
# entries (i.e. the ones at the top) will be removed and the latest is added.
# The limit is only checked when using csf -d (which is what lfd also uses)
# Set to 0 to disable limiting
#
# For implementations wishing to set this value significantly higher, we
# recommend using the IPSET option
DENY_IP_LIMIT = “400”
# I recommend you use IPSETs once you understand all the functions of CSF LFD and #iptables. IPSETs will load blocklists in /etc/csf/csf.blocklists and blocked ip addresses a # #lot faster.
# Limit the number of IP’s kept in the temprary IP ban list. If the limit is
# reached the oldest IP’s in the ban list will be removed and allowed
# regardless of the amount of time remaining for the block
# Set to 0 to disable limiting
DENY_TEMP_IP_LIMIT = “400”
# Enable login failure detection daemon (lfd). If set to 0 none of the
# following settings will have any effect as the daemon won’t start.
LF_DAEMON = “1”
# Check whether csf appears to have been stopped and restart if necessary,
# unless TESTING is enabled above. The check is done every 300 seconds
LF_CSF = “1”
# SECTION:Logging Settings
###############################################################################
LOGFLOOD_ALERT = Default: 0 [0-1]
# Configure csf to watch IP addresses (with csf -w [ip]). This option will add
# overhead to packet traversal through iptables and syslog logging, so should
# only be enabled while actively watching IP addresses. See readme.txt for more
# information on the use of this option
###############################################
Important Setup Email Address To Receive Logs
# SECTION:Reporting Settings
###############################################################################
# By default, lfd will send alert emails using the relevant alert template to
# the To: address configured within that template. Setting the following
# option will override the configured To: field in all lfd alert emails
#
#Leave this option empty to use the To: field setting in each alert template
LF_ALERT_TO =
# By default, lfd will send alert emails using the relevant alert template from
# the From: address configured within that template. Setting the following
# option will override the configured From: field in all lfd alert emails
#
# Leave this option empty to use the From: field setting in each alert template
LF_ALERT_FROM =
# By default, lfd will send all alerts using the SENDMAIL binary. To send using
# SMTP directly, you can set the following to a relaying SMTP server, e.g.
# “127.0.0.1”. Leave this setting blank to use SENDMAIL
IF YOU STILL CAN’T GET EMAIL FROM CSF LFD THAN TRY USING SMTP DIRECTLY BY CHANGING LF_ALERT_SMTP = “” to LF_ALERT_SMTP = “127.0.0.1” OR WHERE YOUR EMAIL SERVER IS LOCATED.
Important! Make sure to Setup Login Failure Blocking for Specific Services
###############################################################################
# SECTION:Login Failure Blocking and Alerts
###############################################################################
# The following[*] triggers are application specific. If you set #LF_TRIGGER to
# “0” the value of each trigger is the number of failures against that
# application that will trigger lfd to block the IP address
#
# If you set LF_TRIGGER to a value greater than “0” then the following[*]
# application triggers are simply on or off (“0” or “1”) and the value of
# LF_TRIGGER is the total cumulative number of failures that will #trigger lfd
# to block the IP address
#
# Setting the application trigger to “0” disables it
LF_TRIGGER = “0”
# If LF_TRIGGER is > “0” then LF_TRIGGER_PERM can be set to “1” to #permanently
# block the IP address, or LF_TRIGGER_PERM can be set to a value #greater than
# “1” and the IP address will be blocked temporarily for that value in #seconds.
# For example:
# LF_TRIGGER_PERM = “1” => the IP is blocked permanently
# LF_TRIGGER_PERM = “3600” => the IP is blocked temporarily for 1 hour
#
# If LF_TRIGGER is “0”, then the application LF_[application]_PERM value #works
# in the same way as above and LF_TRIGGER_PERM serves no function
LF_TRIGGER_PERM = “1”
# To only block access to the failed application instead of a complete #block
# for an ip address, you can set the following to “1”, but LF_TRIGGER #must be
# set to “0” with specific application[*] trigger levels also set #appropriately
#
# The ports that are blocked can be configured by changing the #PORTS_* options
LF_SELECT = “0”
# Send an email alert if an IP address is blocked by one of the [*] #triggers
LF_EMAIL_ALERT = “1”
# [*]Enable login failure detection of sshd connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SSHD = “8”
LF_SSHD_PERM = “1”
# [*]Enable login failure detection of ftp connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_FTPD = “14”
LF_FTPD_PERM = “1”
# [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = “15”
LF_SMTPAUTH_PERM = “1”# [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = “2”
LF_EXIMSYNTAX_PERM = “1”# [*]Enable login failure detection of pop3 connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = “20”
LF_POP3D_PERM = “1”# [*]Enable login failure detection of imap connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = “20”
LF_IMAPD_PERM = “1”# [*]Enable login failure detection of Apache .htpasswd connections
# Due to the often high logging rate in the Apache error log, you might #want to
# enable this option only if you know you are suffering from attacks #against
# password protected directories
LF_HTACCESS = “”
LF_HTACCESS_PERM = “1”# [*]Enable failure detection of repeated Apache mod_security rule #triggers
LF_MODSEC = “3”
LF_MODSEC_PERM = “1”# [*]Enable detection of repeated BIND denied requests
# This option should be enabled with care as it will prevent blocked IPs #from
# resolving any domains on the server. You might want to set the #trigger value
# reasonably high to avoid this
# Example: LF_BIND = “100”
LF_BIND = “100”
LF_BIND_PERM = “1”# [*]Enable detection of repeated suhosin ALERTs
# Example: LF_SUHOSIN = “5”
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SUHOSIN = “5”
LF_SUHOSIN_PERM = “1”# [*]Enable detection of repeated cxs ModSecurity mod_security rule #triggers
# This option will block IP addresses if cxs detects a hits from the
# ModSecurity rule associated with it
#
# Note: This option takes precedence over LF_MODSEC and removes #any hits
# counted towards LF_MODSEC for the cxs rule
#
# This setting should probably set very low, perhaps to 1, if you want #to
# effectively block IP addresses for this trigger option
LF_CXS = “1”
LF_CXS_PERM = “1”# [*]Enable detection of repeated Apache mod_qos rule triggers
LF_QOS = “2”
LF_QOS_PERM = “1”# [*]Enable detection of repeated Apache symlink race condition #triggers from
# the Apache patch provided by:
# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
# This patch has also been included by cPanel via the easyapache #option:
# “Symlink Race Condition Protection”
LF_SYMLINK = “2”
LF_SYMLINK_PERM = “1”# [*]Enable login failure detection of webmin connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN = “1”
LF_WEBMIN_PERM = “1”# Send an email alert if anyone logs in successfully using SSH
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SSH_EMAIL_ALERT = “1”# Send an email alert if anyone uses su to access another account. This #will
# send an email alert whether the attempt to use su was successful or #not
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SU_EMAIL_ALERT = “1”# Send an email alert if anyone accesses webmin
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN_EMAIL_ALERT = “1”# Send an email alert if anyone logs in successfully to root on the #console
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_CONSOLE_EMAIL_ALERT = “1”
# System Exploit Checking. This option is designed to perform a series #of tests
# to send an alert in case a possible server compromise is detected
#
# To enable this feature set the following to the checking interval in #seconds
# (a value of 300 would seem sensible).
#
# To disable set to “0”
LF_EXPLOIT = “300”
If you want to Setup Directories that will be Watched for Changes
###############################################################################
# SECTION:Directory Watching & Integrity
###############################################################################
# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm
# directories for suspicious files, i.e. script exploits. If a suspicious
# file is found an email alert is sent. One alert per file per LF_FLUSH
# interval is sent
#
# To enable this feature set the following to the checking interval in seconds.
# To disable set to “0”
LF_DIRWATCH = “1800”# To remove any suspicious files found during directory watching, enable the
# following. These files will be appended to a tarball in
# /var/lib/csf/suspicious.tar
LF_DIRWATCH_DISABLE = “0”# This option allows you to have lfd watch a particular file or directory for
# changes and should they change and email alert using watchalert.txt is sent
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 60 would seem sensible) and add your entries to csf.dirwatch
#
# Set to disable set to “0”
LF_DIRWATCH_FILE = “240”
###############################################################################
# SECTION:Distributed Attacks
###############################################################################
# Distributed Account Attack. This option will keep track of login #failures
# from distributed IP addresses to a specific application account. If the
# number of failures matches the trigger value above, ALL of the IP addresses
# involved in the attack will be blocked according to the temp/perm #rules above
#
# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, #LF_IMAPD,
# LF_HTACCESS
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_DISTATTACK = “1”
# Set the following to the minimum number of unique IP addresses #that trigger
# LF_DISTATTACK
LF_DISTATTACK_UNIQ = “3”
# Distributed FTP Logins. This option will keep track of successful FTP logins.
# If the number of successful logins to an individual account is at least
# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP #addresses,
# then all of the IP addresses will be blocked
#
# This option can help mitigate the common FTP account compromise #attacks that
# use a distributed network of zombies to deface websites
#
# A sensible setting for this might be 5, depending on how many #different
# IP addresses you expect to an individual FTP account within #LF_DIST_INTERVAL
#
# To disable set to “0”
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_DISTFTP = “8”
# Set the following to the minimum number of unique IP addresses #that trigger
# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to #work
LF_DISTFTP_UNIQ = “5”
# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified #number
# of seconds
LF_DISTFTP_PERM = “1”
# Distributed SMTP Logins. This option will keep track of successful #SMTP
# logins. If the number of successful logins to an individual account is #at
# least LF_DISTSMTP in LF_DIST_INTERVAL from at least #LF_DISTSMTP_UNIQ IP
# addresses, then all of the IP addresses will be blocked. These options #only
# apply to the exim MTA
#
# This option can help mitigate the common SMTP account #compromise attacks that
# use a distributed network of zombies to send spam
## A sensible setting for this might be 5, depending on how many #different
# IP addresses you expect to an individual SMTP account within #LF_DIST_INTERVAL
#
# To disable set to “0”
LF_DISTSMTP = “8”
# Set the following to the minimum number of unique IP addresses #that trigger
# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this #to work
LF_DISTSMTP_UNIQ = “4”
# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified #number
# of seconds
LF_DISTSMTP_PERM = “1”
# This is the interval during which a distributed FTP or SMTP attack is
# measured
LF_DIST_INTERVAL = “300”
###############################################################################
# SECTION:Login Tracking
[dr_add_listing_btn text=”Add Your Business Listing” view=”loggedin | loggedout | always”]
###############################################################################
# Block POP3 logins if greater than LT_POP3D times per hour per #account per IP
# address (0=disabled)
#
# This is a temporary block for the rest of the hour, afterwhich the IP is
# unblocked
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LT_POP3D = “10”
# Block IMAP logins if greater than LT_IMAPD times per hour per #account per IP
# address (0=disabled) – not recommended for IMAP logins due to the #ethos
# within which IMAP works. If you want to use this, setting it quite high #is
# probably a good idea
#
# This is a temporary block for the rest of the hour, afterwhich the IP is
# unblocked
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LT_IMAPD = “30”
# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins #per hour
# per IP
LT_EMAIL_ALERT = “1”
# If LF_PERMBLOCK is enabled but you do not want this to apply to
# LT_POP3D/LT_IMAPD, then enable this option
LT_SKIPPERMBLOCK = “0”
###############################################################################
# SECTION:Connection Tracking
###############################################################################
# Connection Tracking. This option enables tracking of all connections #from IP
# addresses to the server. If the total number of connections is greater #than
# this value then the offending IP address is blocked. This can be used #to help
# prevent some types of DOS attack.
#
# Care should be taken with this option. It’s entirely possible that you #will
# see false-positives. Some protocols can be connection hungry, e.g. #FTP, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However, for a server that is prone #to DOS
# attacks this may be very useful. A reasonable setting for this option #might
# be around 300.
#
# To disable this feature, set this to 0
CT_LIMIT = “500”
# Connection Tracking interval. Set this to the the number of seconds #between
# connection tracking scans
CT_INTERVAL = “30”
# Send an email alert if an IP address is blocked due to connection #tracking
CT_EMAIL_ALERT = “1”
# If you want to make IP blocks permanent then set this to 1, otherwise #blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = “1”
# If you opt for temporary IP blocks for CT, then the following is the #interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = “1800”
###############################################################################
# SECTION:Process Tracking
###############################################################################
# Process Tracking. This option enables tracking of user and nobody #processes
# and examines them for suspicious executables or open network #ports. Its
# purpose is to identify potential exploit processes that are running on #the
# server, even if they are obfuscated to appear as system services. If a
# suspicious process is found an alert email is sent with relevant #information.
# It is then the responsibility of the recipient to investigate the process
# further as the script takes no further action
#
# The following is the number of seconds a process has to be active #before it
# is inspected. If you set this time too low, then you will likely trigger
# false-positives with CGI or PHP scripts.
# Set the value to 0 to disable this feature
PT_LIMIT = “60”
# How frequently processes are checked in seconds
PT_INTERVAL = “60”
# This User Process Tracking option sends an alert if any linux user #process
# exceeds the memory usage set (MB). To ignore specific processes or #users use
# csf.pignore
#
# Set to 0 to disable this feature
PT_USERMEM = “200”
# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 #and
# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If #the
# load average is greater than or equal to PT_LOAD_LEVEL then an #email alert is
# sent. lfd then does not report subsequent high load until #PT_LOAD_SKIP
# seconds has passed to prevent email floods.
#
# Set PT_LOAD to “0” to disable this feature
PT_LOAD = “20”
PT_LOAD_AVG = “5”
PT_LOAD_LEVEL = “6”
PT_LOAD_SKIP = “3600”
# Fork Bomb Protection. This option checks the number of processes #with the
# same session id and if greater than the value set, the whole session #tree is
# terminated and an alert sent
#
# You can see an example of common session id processes on most #Linux systems
# using: “ps axf -O sid”
#
# On cPanel servers, PT_ALL_USERS should be enabled to use this #option
# effectively
#
# This option will check root owned processes. Session id 0 and 1 will #always
# be ignored as they represent kernel and init processes. csf.pignore #will be
# honoured, but bear in mind that a session tree can contain a variety #of users
# and executables
#
# Care needs to be taken to ensure that this option only detects #runaway fork
# bombs, so should be set higher than any session tree is likely to get 3(e.g.
# httpd could have 100s of legitimate children on very busy systems). A
# sensible starting point on most servers might be 250
PT_FORKBOMB = “250”
Important to Block Port Scan Attempts – Important
###############################################################################
# SECTION:Port Scan Tracking
###############################################################################
# Port Scan Tracking. This feature tracks port blocks logged by #iptables to
# syslog. If an IP address generates a port block that is logged more #than
# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.
#
# This feature could, for example, be useful for blocking hackers #attempting
# to access the standard SSH port if you have moved it to a port other #than 22
# and have removed 22 from the TCP_IN list so that connection #attempts to the
# old port are being logged
#
# This feature blocks all iptables blocks from the iptables logs, #including
# repeated attempts to one port or SYN flood blocks, etc
#
# Note: This feature will only track iptables blocks from the log file set #in
# IPTABLES_LOG below and if you have DROP_LOGGING enabled. #However, it will
# cause redundant blocking with DROP_IP_LOGGING enabled
#
# Warning: It’s possible that an elaborate DDOS (i.e. from multiple IP’s)
# could very quickly fill the iptables rule chains and cause a DOS in #itself.
# The DENY_IP_LIMIT should help to mitigate such problems with #permanent blocks
# and the DENY_TEMP_IP_LIMIT with temporary blocks
#
# Set PS_INTERVAL to “0” to disable this feature. A value of between 60 #and 300
# would be sensible to enable this feature
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG #option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
PS_INTERVAL = “120”
PS_LIMIT = “10”
# You can specify the ports and/or port ranges that should be tracked #by the
# Port Scan Tracking feature. The following setting is a comma #separated list
# of those ports and uses the same format as TCP_IN. The default #setting of
# 0:65535,ICMP covers all ports
PS_PORTS = “0:65535,ICMP”
# To specify how many different ports qualifies as a Port Scan you can #increase
# the following from the default value of 1. The risk in doing so will #mean
# that persistent attempts to attack a specific closed port will not be
# detected and blocked
PS_DIVERSITY = “1”
# You can select whether IP blocks for Port Scan Tracking should be #temporary
# or permanent. Set PS_PERMANENT to “0” for temporary and “1” for #permanent
# blocking. If set to “0” PS_BLOCK_TIME is the amount of time in #seconds to
# temporarily block the IP address for
PS_PERMANENT = “1”
PS_BLOCK_TIME = “3600”
# Set the following to “1” to enable Port Scan Tracking email alerts, set #to
# “0” to disable them
PS_EMAIL_ALERT = “1”
###############################################################################
# SECTION:User ID Tracking
###############################################################################
# User ID Tracking. This feature tracks UID blocks logged by iptables to
# syslog. If a UID generates a port block that is logged more than UID_LIMIT
# times within UID_INTERVAL seconds, an alert will be sent
#
# Note: This feature will only track iptables blocks from the log file set in
# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.
#
# To ignore specific UIDs list them in csf.uidignore and then restart lfd
#
# Set UID_INTERVAL to “0” to disable this feature. A value of between 60 and 300
# would be sensible to enable this feature
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
UID_INTERVAL = “120”
UID_LIMIT = “10”
###############################################################################
# SECTION:Account Tracking
###############################################################################
# Account Tracking. The following options enable the tracking of modifications
# to the accounts on a server. If any of the enabled options are triggered by
# a modifications to an account, an alert email is sent. Only the modification
# is reported. The cause of the modification will have to be investigated
# manually
#
# You can set AT_ALERT to the following:
# 0 = disable this feature
# 1 = enable this feature for all accounts
# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)
# 3 = enable this feature only for the root account
AT_ALERT = “1”# This options is the interval between checks in seconds
AT_INTERVAL = “60”# Send alert if a new account is created
AT_NEW = “1”# Send alert if an existing account is deleted
AT_OLD = “1”# Send alert if an account password has changed
AT_PASSWD = “1”# Send alert if an account uid has changed
AT_UID = “1”# Send alert if an account gid has changed
AT_GID = “1”# Send alert if an account login directory has changed
AT_DIR = “1”# Send alert if an account login shell has changed
AT_SHELL = “1”
###############################################################################
# SECTION:Log Scanner
###############################################################################
# Log Scanner. This feature will send out an email summary of the log lines of
# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless
# they match a regular expression in /etc/csf/csf.logignore
#
# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,
# be aware that the more files lfd has to track, the greater the performance
# hit. Note: File globs are only evaluated when lfd is started
#
# Note: lfd builds the report continuously from lines logged after lfd has
# started, so any lines logged when lfd is not running will not be reported
# (e.g. during reboot). If lfd is restarted, then the report will include any
# lines logged during the previous lfd logging period that weren’t reported
#
# 1 to enable, 0 to disable
LOGSCANNER = “1”
# This is the interval each report will be sent based on the logalert.txt
# template
#
# The interval can be set to:
# “hourly” – sent on the hour
# “daily” – sent at midnight (00:00)
# “manual” – sent whenever “csf –logrun” is run. This allows for scheduling
# via cron job
LOGSCANNER_INTERVAL = “hourly”
# Report Style
# 1 = Separate chronological log lines per log file
# 2 = Simply chronological log of all lines
LOGSCANNER_STYLE = “1”
# Send the report email even if no log lines reported
# 1 to enable, 0 to disable
LOGSCANNER_EMPTY = “1”
# Maximum number of lines in the report before it is truncated. This is to
# prevent log lines flooding resulting in an excessively large report. This
# might need to be increased if you choose a daily report
LOGSCANNER_LINES = “3000”
Parallels Plesk Panel 12 Log File Locations:
# Log file locations
HTACCESS_LOG = “/var/log/httpd/error_log”
MODSEC_LOG = “/var/log/httpd/error_log”
SSHD_LOG = “/var/log/secure”
SU_LOG = “/var/log/secure”
FTPD_LOG = “/var/log/secure”
SMTPAUTH_LOG = “/usr/local/psa/var/log/maillog”
POP3D_LOG = “/usr/local/psa/var/log/maillog”
IMAPD_LOG = “/usr/local/psa/var/log/maillog”
IPTABLES_LOG = “/var/log/messages”
SUHOSIN_LOG = “/var/log/messages”
BIND_LOG = “/var/log/messages”
SYSLOG_LOG = “/var/log/messages”
WEBMIN_LOG = “/var/log/secure”
#CUSTOM1_LOG = “/var/www/vhosts/*/logs/access_log”
CUSTOM2_LOG = “/usr/local/psa/admin/logs/sitebuilder.log”
CUSTOM3_LOG = “/var/log/sw-cp-server/error_log”
CUSTOM4_LOG = “/var/www/vhosts/DOMAIN/logs/error_log”
CUSTOM6_LOG = “/var/www/vhosts/DOMAIN/logs/webmail_access_log”
CUSTOM7_LOG = “/usr/local/psa/admin/logs/panel.log”
CUSTOM10_LOG = “/var/log/nginx/error.log”
CUSTOM11_LOG = “/var/log/magicspam/mslog”
If you changed your SSH port change it here.
Now you need to edit the /etc/csf/csf.logfiles and add:
nano /etc/csf/csf.logfiles and make sure none are missing.
# All:
/var/log/messages
/var/log/lfd.log
/var/log/cxswatch.log
/var/log/secure
#/var/log/httpd/access_log
/var/log/httpd/error_log
/usr/local/psa/admin/logs/sitebuilder.log
/usr/local/psa/var/log/maillog
/usr/local/psa/admin/logs/panel.log
#/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/sw-cp-server/error_log
/var/www/vhosts/system/*/logs/error_log
/var/log/plesk/panel.log
Parallels Plesk Panel 12 Log File Locations:
/var/log/plesk/panel.log
/var/log/maillog
/var/log/psa-horde/psa-horde.log
/var/log/secure
/var/log/plesk-roundcube/errors
/usr/local/psa/admin/logs/sitebuilder.log
/var/log/httpd/error_log
/var/log/nginx/error.log
/var/log/sw-cp-server/error_log
/var/www/vhosts/*/logs/access_log
/var/log/messages
/var/www/vhosts/*/logs/access_log
#/var/log/nginx/access.log
Now you need to edit the /etc/csf/csf.logfiles and put in the correct logs.
Add BlockList Blocking to your Plesk Panel Web Hosting Server
nano /etc/csf/csf.blocklists
You will can add IP Block Lists adding some cloudflare capabilities to your plesk panel 12 web hosting services.
Uncomment:
#Spamhaus Don’t Route Or Peer List (DROP)
# Details: http://www.spamhaus.org/drop/
#SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.lasso
# Spamhaus Extended DROP List (EDROP)
# Details: http://www.spamhaus.org/drop/
#SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.lasso
# DShield.org Recommended Block List
# Details: http://dshield.org
DSHIELD|86400|0|http://www.dshield.org/block.txt
# BOGON list
# Details: http://www.team-cymru.org/Services/Bogons/
BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt
# Project Honey Pot Directory of Dictionary Attacker IPs
# Details: http://www.projecthoneypot.org
HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1
#CIARMY|86400|0|http://www.ciarmy.com/list/ci-badguys.txt
# C.I. Army Malicious IP List
# Details: http://www.ciarmy.com
CIARMY|86400|0|http://www.ciarmy.com/list/ci-badguys.txt
# BruteForceBlocker IP List
# Details: http://danger.rulez.sk/index.php/bruteforceblocker/
BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php
# Emerging Threats – Russian Business Networks List
# Details:
#http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
RBN|86400|0|http://rules.emergingthreats.net/blockrules/rbn-ips.txt
# OpenBL.org 30 day List
# Details: http://www.openbl.org
OPENBL|86400|0|http://www.us.openbl.org/lists/base_30days.txt
# Autoshun Shun List
# Details: http://www.autoshun.org/
AUTOSHUN|86400|0|http://www.autoshun.org/files/shunlist.csv
# MaxMind GeoIP Anonymous Proxies
# Details: http://www.maxmind.com/en/anonymous_proxies
MAXMIND|86400|0|http://www.maxmind.com/en/anonymous_proxies
You will see some TOR networks that you can add to your iptables block lists, but a lot of legitimate consumers are starting to use the TOR Network for their own online anonymity and privacy searching online. I recommend not banning the TOR network as it could block good people that are just trying to stay anonymous.
# TOR Exit Nodes List
#To use this list you’ll probably need vhange URLGET in csf.conf to use
#LWP asthis list uses an SSL connection.Alternatively use ALTTORbelow
#Detai-https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
#TOR|86400|0|http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1
# Alternative TOR Exit Nodes List
# Details: http://torstatus.blutmagie.de/
#ALTTOR|86400|0|http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
Remember to always do these 2 commands any time you make any changes to CSF LFD config files.
sudo csf -r
sudo service lfd restart
################################################################################################
Adding legitimate files to be ignored in /etc/csf/csf.pignore
Now for the tricky part. You will need to edit your process and users ignore file to ignore legitimate processes and users:
Tip: check the email address you set in the configuration to send logs you will need to check if you need to ignore anymore users or processes.
cmd: for commands
exe: for executables
user: for users you get the point.
it will basically tell you in the log report sent to your email address on which commands, executables and users to start adding to /etc/csf/csf.pignore . After you put our csf.pignore template inside /etc/csf/csf.pignore . you might have other processes and users you will have to ignore depending on which other services you’re providing.
nano /etc/csf/csf.pignore
## Custom Added ##
exe:/opt/drweb/drwebd.real
cmd:drwebd.real
user:drweb
user:apache
exe:/usr/sbin/httpd
cmd:/usr/sbin/httpd
user:nginx
exe:/usr/sbin/nginx
cmd:/usr/sbin/nginx
cmd:nginx: worker process
user:postfix
exe:/usr/lib64/plesk-9.0/psa-pc-remote
cmd:/usr/lib64/plesk-9.0/psa-pc-remote -p inet:12768@localhost
exe:/usr/libexec/postfix/tlsmgr
cmd:tlsmgr -l -t unix -u
exe:/usr/libexec/postfix/qmgr
cmd:qmgr -l -t fifo -u
exe:/usr/bin/php-cgi
user:hspc
exe:/usr/bin/perl
cmd:/usr/bin/perl /usr/sbin/hspc-plugin-rpc.fcgi
# Plesk process/user template #
user:admin
exe:/var/qmail/bin/qmail-smtpd
exe:/usr/bin/imapd
exe:/var/qmail/bin/qmail-queue
exe:/usr/bin/pop3d
exe:/var/qmail/bin/qmail-send
cmd:qmail-send
cmd:/usr/bin/pop3d Maildir
cmd:/var/qmail/bin/qmail-queue
cmd:/var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
cmd:/usr/bin/imapd Maildir
exe:/var/qmail/bin/qmail-rspawn
cmd:qmail-rspawn
exe:/var/qmail/bin/qmail-clean
cmd:qmail-clean
exe:/usr/sbin/clamd
cmd:clamd
exe:/var/qmail/bin/splogger
cmd:splogger qmail
exe:/var/qmail/bin/qmail-remote.moved
user:qmaill
user:popuser
user:qmaild
user:qmails
user:qmailr
user:qmailq
user:qscand
exe:/usr/sbin/avahi-daemon
user:avahi
exe:/usr/local/sbin/zabbix_agentd
cmd:/usr/local/sbin/zabbix_agentd
user:zabbix
exe:/usr/bin/sw-engine-cgi
cmd:/usr/bin/sw-engine-cgi
user:sso
exe:/usr/sbin/sw-cp-serverd
cmd:/usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config
user:sw-cp-server
exe:/usr/bin/sw-engine-cgi
cmd:/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm
user:psaadm
exe:/usr/libexec/mysqld
cmd:/usr/libexec/mysqld -basedir=/usr -datadir=/var/lib/mysql -user=mysql -pid-file=/var/run/mysqld/mysqld.pid -skip-external-locking -socket=/var/lib/mysql/m$
user:mysql
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
cmd:hald
user:haldaemon
exe:/usr/bin/postgres
user:postgres
exe:/sbin/portmap
cmd:portmap
user:rpc
exe:/usr/bin/xfs
cmd:xfs -droppriv -daemon
user:xfs
exe:/usr/bin/python
cmd:/usr/bin/python /usr/lib/mailman/bin/qrunner -runner=VirginRunner:0:1 -s
user:mailman
exe:/usr/java/jdk1.6.0_20/bin/java
user:tomcat
CTRL+X to exit and Y to save changes.
You can always lock down your system even more by adding your IP’s in the /etc/csf/csf.allow and /etc/csf/csf.ignore files. This is highly suggested if you have an infrastructure and have dedicated database servers and or billing servers, offsite servers and similar situations. The ip you logged in from using ssh to install CSF LFD will automatically be stored in that file. if you do not have static ip addresses there’s a dyndns feature.
You have now successfully installed CSF / LFD configserver on your server.
Enable CSF
csf –e
Disable CSF
csf -x
Starting CSF
csf -s
Ban IP:
csf -d 1.2.3.4
Stop CSF
csf –stop
Flush CSF
csf -f
Stop LFD
service lfd stop
Start LFD
service lfd start
If you need free help you can visit my Live Help and it would be my honor to help you with any problems you might be having.
Create a free premium business listing in our business directory with no hiddens fees or extra costs, create a high quality backlink to give your website more linkjuice and raise up in the search engines!
[dr_add_listing_btn text=”Add Your Business Listing” view=”loggedin | loggedout | always”]
###########################################################################################################
f you are experiencing the same issue we can conclude that there was some issues with the server firewall. So we need investigate why the domain is caught on firewall. Here we have checked the firewall logs in /var/log/messages. But we can’t see any IP address is blocked from the source server.
To see the IP address we need to enable inbound and outbound blocks logs in CSF firewall.
# vim /etc/csf/csf.conf
# Enable logging of dropped connections to blocked ports to syslog, usually
# /var/log/messages. This option needs to be enabled to use Port Scan Tracking
DROP_LOGGING = “1”
DROP_IP_LOGGING = “1”
DROP_OUT_LOGGING = “1”
———————->
After editing save and exit, also restart the CSF Firewall.
Then try to reload the domain and check the logs /var/log/messages. Then you can see the DST=69.58.188.42 IP address was blocked on CSF Firewall go and remove the IP adress from CSF.
Jul 23 22:43:01 lithium kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=72.34.59.62 DST=69.58.188.42 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41190 DF PROTO=TCP SPT=59262 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=32359 GID=32361
For deleting IP address from CSF use this commands.
#csf -a 69.58.xx.xx
#csf -r
After restarting the CSF Firewall check the domain response time using script. Now we can see that the domain is loading much faster than earlier.
———————->
[root@server02 ~]# for i in {1..15}; do echo “http://www.domain.com/” | /root/site_response.sh; done
Time_Connect — Time_start_transfer — Time_total
0.189 0.515 0.669
Time_Connect — Time_start_transfer — Time_total
0.187 0.512 0.668
———————->
Add the following line in your /etc/csf/csf.allow
tcp|in|d=3306|s=192.168.1.1
tcp|out|d=3306|d=192.168.1.3
Restart csf with : csf -r
This will allow incoming/outgoing connections to port 3306
Posted: 0p in Firewall
Some useful tweak settings on CSF Configuration File
IP Limit in Permanent “Deny” File
DENY_IP_LIMIT = “200”
A higher number here will obviously screen out more IP addresses in csf.deny.
IP Limit in Temporary “Deny” File
DENY_TEMP_IP_LIMIT = “100”
Similar to DENY_IP_LIMIT, the DENY_TEMP_IP_LIMIT represents the maximum number of IPs that can be stored in the temporary ban list.
SMTP Blocking
SMTP_BLOCK = “0”
When set to “1″, SMTP_BLOCK does not completely block outbound SMTP, but it does block it for most users. This will prevent malicious scripts and compromised users from making outbound connections from unauthorized mail clients on the server. SMTP_BLOCK doesn’t stop those scripts from running, but it does stop them from functioning. Mail sent through the proper channels will still be delivered normally.
Allowing SMTP on localhost
SMTP_ALLOWLOCAL = “1”
Custom Mail Port Designation
SMTP_PORTS = “25,465,587”
Allowing SMTP Access to Users/Groups
SMTP_ALLOWUSER = “”
SMTP_ALLOWGROUP = “mail,mailman”
SYN Flood Protection
SYNFLOOD = “0”
SYNFLOOD_RATE = “100/s”
SYNFLOOD_BURST = “150”
Per the documentation, you should only enable SYN flood protection (SYNFLOOD= “1″) if you are currently under a SYN flood attack.
Concurrent Connections Limit
CONNLIMIT = “22;5,80;20”
PORTFLOOD = “22;tcp;5;300,80;tcp;20;5
These options allow you to add customized DoS protection. CONNLIMIT handles the number of concurrent connections, and in this example, we’re limiting port 22 to 5 connections and port 80 to 20 connections.
Dropping v. Rejecting Packets
DROP = “DROP”
This configuration allows you to either DROP or REJECT packets. REJECT tells the sender that the packet has been blocked by the firewall. DROP just drops the packet and does not send a response. I like DROP better for regular use, but REJECT might be more helpful if you need to diagnose a connectivity issue.
Logging Dropped Connections
DROP_LOGGING = “1”
This option logs dropped connections to syslog. I don’t see any reason to turn this off unless your hard drive is getting full.
SPAMHAUSE Blocklist
LF_SPAMHAUS = “0”
This option enables the SPAMHAUS blocklist. Specify the number of seconds between refreshes. Recommended setting is 86400 (1 day).
Blocking TOR Exit IP Addresses
LF_TOR = “0”
Enabling this option will block TOR exit IP addresses. If you are not familiar with TOR, it is a completely anonymous proxy network. This could block some legitimate users who are trying to protect their anonymity, so I would recommend only turning this on if you are already under attack from a TOR exit address.
Blocking Bogon Addresses
LF_BOGON = “0”
LF_BOGON_URL = “http://www.cymru.com/Documents/bogon-bn-agg.txt”
LF_BOGON_SKIP = “”
Blocking bogon addresses (addresses that should not be possible) is usually a good decision. To enable, set the number of seconds between refreshes. I recommend enabling this option and setting the refresh at 86400 (1 day). If you do so, be sure to add your private network adapters to the skip list.
Country-Specific Access to Your Server
CC_DENY = “”
CC_ALLOW = “”
With these options, you can block or allow entire countries from accessing your server. To do so, enter the country codes in a comma separated list.
CC_ALLOW_FILTER = “”
Alternatively, you can set your server to exclusively accept traffic from a list of country codes. All other countries not listed will have their traffic dropped.
Blocking Login Failures
LF_TRIGGER = “0”
This enables blocking of login failures (per service). There are a lot of great customization options in this section.
Scanning Directories for Malicious Files
LF_DIRWATCH = “300”
This feature scans /tmp and /dev/shm for potentially malicious files and alerts you to their presence based on the interval you designate. You can also have CSF automatically quarantine malicious files with this option:
LF_DIRWATCH_DISABLE = “0”
Distributed Attack Protection
LF_DISTATTACK = “0”
By enabling this option, you activate additional protection against distributed attacks.
Blocking Based on Abusive Email Usage
LT_POP3D = “0”
LT_IMAPD = “0”
If a user checks email too many times per hour (more than the non-zero value specified), the user’s IP address is blocked.
Blocking IP Addresses Based on Number of Connections
CT_LIMIT = “0”
This feature tracks connections and blocks the IP if the number of connections is too high. Use caution because if you enable this option and set this value too low, it will block legitimate traffic.
Application-Level Protection
PT_LIMIT = “60”
This feature provides application level protection against malicious scripts that take a long time to execute.
Blocking Port Scanners
PS_INTERVAL = “300”
PS_LIMIT = “10”
——————————->
-----
---