Tips
--------
# systemctl restart {csf,lfd}
# systemctl enable {csf,lfd}
# systemctl is-active {csf,lfd}
perl -pi -w -e "s/TESTING = \"1\"/TESTING = \"0\"/" /etc/csf/csf.conf perl -pi -w -e "s/SMTP_BLOCK = \"0\"/SMTP_BLOCK = \"1\"/" /etc/csf/csf.conf perl -pi -w -e "s/LF_DSHIELD = \"0\"/LF_DSHIELD = \"86400\"/" /etc/csf/csf.conf perl -pi -w -e "s/LF_SPAMHAUS = \"0\"/LF_SPAMHAUS = \"86400\"/" /etc/csf/csf.conf perl -pi -w -e "s/LF_DIRWATCH = \"300\"/LF_DIRWATCH = \"120\"/" /etc/csf/csf.conf perl -pi -w -e "s/LF_DIRWATCH_DISABLE = \"0\"/LF_DIRWATCH_DISABLE = \"1\"/" /etc/csf/csf.conf perl -pi -w -e "s/PT_SKIP_HTTP = \"0\"/PT_SKIP_HTTP = \"1\"/" /etc/csf/csf.conf perl -pi -w -e "s/PT_USERPROC = \"10\"/PT_USERPROC = \"15\"/" /etc/csf/csf.conf perl -pi -w -e "s/CC_DENY = \"\"/CC_DENY = \"CN,KR,HK,IN,ID,MY,NG,PK,RU,SA,TW,SY,AE\"/" /etc/csf/csf.conf perl -pi -w -e "s/IGNORE_ALLOW = \"0\"/IGNORE_ALLOW = \"1\"/" /etc/csf/csf.conf
Directory structure: /etc/csf/ - configuration files /var/lib/csf/ - temporary data files /usr/local/csf/bin/ - scripts /usr/local/csf/lib/ - perl modules and static data /usr/local/csf/tpl/ - email alert templates
service csf restart service lfd restart systemctl restart csf.service systemctl restart lfd.service
Remove all permanent IP blocks
# csf -df
# /usr/sbin/csf -df
Cron Jobs: crontab -e
0 10 15 * * csf -df
0 10 15 * * /usr/sbin/csf -df
Flush all IP addresses from temporary list.
# csf -tf
# vi /etc/csf/csf.conf
1 – To enable
0 – To disable
restart csf.
csf -r
# grep -ni email /etc/csf/csf.conf
Don't Block IP addresses that are in the csf.allow files.
IGNORE_ALLOW = "1"
disable email alerts
1070 # Send an email alert if an IP address is blocked by one of the [*] triggers
1071 LF_EMAIL_ALERT = "0"
Enable only IP Block and ssh notification email alerts in CSF firewall
LF_ALERT_TO= "0"
Stop CSF Plugin from emailing alerts about Permanent Block IP?
LF_PERMBLOCK_ALERT = "0"
Enable/Disable Port Scanning Email Alert
PS_EMAIL_ALERT = "0"
for Managing Root User Emails via /root/.forward file or via /etc/csf/csf.conf CSF config file reporting settings for LF_ALERT_TO and LF_ALERT_FROM
Setting Email Address
LF_ALERT_TO = "csf@worldcm.net" [ csf will got this mail]
receive email from CSF
LF_ALERT_FROM = " "
csf not show country
CC_LOOKUPS = 1CC_SRC =2Block incoming and outgoing conections except of whitelisted IPs is to issue the following:
csf -d 0.0.0.0/0 # "block all connections"
CSF firewall - Only allow FTP access to users connecting via specific hostname Allow only selected IP addresses access to FTP
CSF – Limit FTP Access to Specific IP’s Only on Server
# vi /etc/csf/csf.allow
tcp|in|d=21|s=195.24.75.5
tcp defines the protocol we're using. MySQL uses TCP sockets.
in defines that this rule pertains to inbound traffic or traffic coming into your system from an external one.
d=21 is the port number which FTP uses by default.
s=195.24.75.5 is the IP address we want to allow into our system on the port and protocol specified above (corresponds to portal4321.vps22.hostingserver.com).
Save the file. Restart CSF using csf -r.
want to allow IP address 192.0.2.0 to access MySQL on port 2222, add this to the csf.allow file.
tcp:in:d=222:s=192.0.2.0
ALLOWING PORT ACCESS BY IP ADDRESS IN CSF
tcp:in:d=3306:s=192.0.2.0
tcp|in|d=22|s=192.168.0.1
csf.allowtcp|in|d=80|s=1.1.1.1tcp|in|d=443|s=1.1.1.1
Allow anyone to see port 80 and 433Block everyone apart from my IPs on port 22 and 21
to csf.deny: want to "Block all other access to port 22 / ssh"
tcp|in|d=22|s=0.0.0.0
block IPs by using: # vi /etc/csf/csf.deny
0.0.0.0/0
block outgoing connection to a ip using CSF
You can block outgoing traffic to specific IP and port by entering this in csf.deny:
tcp|out|d=80|d=12.34.56.78/24udp|out|d=80|d=12.34.56.78/24--------------------
----------------------------------------------------------------------------------
# TCP connections inbound to port 3306 from IP 11.22.33.44
tcp|in|d=3306|s=11.22.33.44
# TCP connections outbound to port 22 on IP 11.22.33.44
tcp|out|d=22|d=11.22.33.44
Note| If omitted, the default protocol is set to "tcp", the default connection
direction is set to "in", so|
# TCP connections inbound to port 22 from IP 44.33.22.11
d=22|s=44.33.22.11
# TCP connections outbound to port 80 from UID 99
tcp|out|d=80||u=99
# ICMP connections inbound for type ping from 44.33.22.11
icmp|in|d=ping|s=44.33.22.11
# TCP connections inbound to port 22 from Dynamic DNS address
# www.configserver.com (for use in csf.dyndns only)
tcp|in|d=22|s=www.configserver.com
LF_TRIGGER to "20", an offending IP address will be blocked when any of the enabled application triggers reach "20" failed logins.
LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
how to disable notifications
Stop Emails containing “Suspicious process running under use X
ALL: LF_ALERT settings are set to 0
Edit # vi /etc/csf/csf.conf and find PT_USERMEM and PT_USERT
PT_USERMEM = "0" PT_USERTIME = "0" # [PT_USERTIME = 1800]
PT_LIMIT = 0 # [ stop Suspicious process alert emails PT_LIMIT= 60 ]
LF_SSH_EMAIL_ALERT = 0 # [stop ssh login alert]
CSF/LFD Stop Emails containing “Suspicious process running under use X
LF_EMAIL_ALERT = 0
PT_USERMEM = 0
PT_USERTIME = 0
Suspicious File Alert [ list of files that lfd directory watching will ignore]
# vim /etc/csf/csf.fignore
/tmp/apache-build/.*
/tmp/php-build/.*
OR
/tmp/.*
------------------
PT_LIMIT = "0"
PT_DELETED = "1"
Suspicious SPAMD CHILD process
[root@mail csf]# vi /etc/csf/csf.pignore #Add below the line at the end of file
cmd:spamd child
Disabling LFD Notifications
LF_PERMBLOCK_ALERT”= 0
## server check
FASTSTART = "1" [ Defult-1 ]
SYSLOG_CHECK = 600 [ Defult-0 ]
URLGET = 2 [ Defult-1 ]
AUTO_UPDATES = on [Defult-off]
DURATION OF IP BLOCK Time
The PS_PERMANENT switch determines whether a block will be temporary or permanent. In case the IP block is temporary, the duration of the IP block can be defined under PS_BLOCK_TIME.
PORT SCAN TRACKING
PS_INTERVAL is set at the default value of 300 and PS_LIMIT is set at 10, any IP address that is logged more than 10 times over a period of 300 seconds will be blocked.
Port Scan Tracking. This feature tracks port blocks logged by iptables [elaborate DDOS]
- defult: PS_INTERVAL = "300" & PS_LIMIT = "20"PS_INTERVAL = "300"
PS_LIMIT = "20"
If you want to disable, yes you can.
PS_INTERVAL = "0"
PS_INTERVAL = 0 # defult 300
have to DROP_IP_LOGGING = "0" it says and DROP_LOGGING = "1".
You could also set the interval from 300 back to 120 for exampl
DURATION OF IP BLOCK
The PS_PERMANENT switch determines whether a block will be temporary or permanent. In case the IP block is temporary, the duration of the IP block can be defined under PS_BLOCK_TIME.
Limiting Incoming Connections by Source
Depending on the intended use of your server, you may want to limit incoming connections to a safe number on a port basis. To do so, open /etc/csf/csf.conf and search for CONNLIMIT. You can specify multiple port; connections pairs separated by commas. For example,
CONNLIMIT = "22;2,80;10"
This means, the maximum concurrent connections to port 80 (HTTP) from a single IP is 10 and to port 22 (ssh) per IP is 2.
Port Flood Protection. This option configures iptables to offer protection from DOS attacks against specific ports.
PORTFLOOD = 22;tcp;5;300,80;tcp;20;1
Means: 5 connections per IP-address per 300 seconds to the ssh server; and 20 connections per IP-address per second to the httpd server
PORTFLOOD = "80;tcp;30;5"
#The number of connections to port 80 exceeds 30 in five seconds, all the new connections will be blocked.
# Allow incoming
PINGICMP_IN = “1″
# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to “0″ # ICMP_IN_RATE = "1/s"
ICMP_IN_RATE = “0″
# Allow outgoing PING
ICMP_OUT = “1″
# Set the per IP address outgoing ICMP packet rate
# To disable rate limiting set to “0″
ICMP_OUT_RATE = “0″
# Enable login failure detection daemon (lfd).
LF_DAEMON = “1″
Detect suspicious process #Set Defult-0
PT_DELETED = "1"
# Enable syslog monitoring # Defult-0
SYSLOG_CHECK = "1800"
After save restart CSF by csf -r
# service lfd restart
# systemctl restart lfd
Enable 'RESTRICT_SYSLOG option check, LF_POP3D option check, LF_IMAPD option check, SYSLOG_CHECK option check, RESTRICT_UI option check, Check SSH PasswordAuthentication'. This option helps prevent brute force attacks on your server services
RESTRICT_SYSLOG = "3" LF_POP3D = "3" LF_POP3D_PERM = "1" LF_IMAPD = "3" LF_IMAPD_PERM = "1" SYSLOG_CHECK = "300"
# HTTP password protected directories
LF_HTACCESS = 5
LF_HTACCESS_PERM = 1
lfd alerts:System Integrity checking detected a modified system file
Edit vi /etc/csf/csf.conf
# To enable this feature set the following to the checking interval in seconds
# (a value of 3600 would seem sensible). This option may increase server I/O
# load onto the server as it checks system binaries.
#
# To disable set to "0"
LF_INTEGRITY = "3600"
Here make the "LF_INTEGRITY=0" to disable it.
(Note: It is not recommended to disable the option LF_INTEGRITY you can ignore the above message as It always occurs after CPanel Upgrades and references files that were upgraded.)
CSF
SASL LOGIN authentication failed: UGFzc3dvcmQ6
Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "3"
LF_SMTPAUTH_PERM = "1"
# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTATTACK
LF_DISTATTACK_UNIQ = "3"
# To disable set to "0"
LF_DISTSMTP = "1"
# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
LF_DISTSMTP_UNIQ = "3"
# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_DISTSMTP_PERM = "1"
# Send an email alert if LF_DISTSMTP is triggered
LF_DISTSMTP_ALERT = "0"
# This is the interval during which a distributed FTP or SMTP attack is
# measured
LF_DIST_INTERVAL = "300"
---------------------------------------X-----------------------------------
Delete messages from .maildir/cur/ with custom subject [sub: lfd on mail]
# egrep -R -l "lfd on mail" | xargs rm -f
E-MAIL ALERTS
LF_ALERT_TO = "" LF_ALERT_FROM = "" LF_ALERT_SMTP = ""
DEFINE PORTS TO TRACK
The PS_PORTS directive defines the ports that should be tracked for port scanning. In case of servers handling multiple users and domains or servers with heavy FTP usage we recommend disabling port scan tracking for FTP. FTP generates a lot of connections and may be the cause of false IP blocks as a result.
We recommend the following if you do wish to enable Port Scan Tracking while facilitating multiple FTP users:
PS_PORTS = 0:19,22:988,991:65535,ICMP
The excluded ports here are
Port 20 = FTP Data
Port 21 = FTP Control
Port 989 = FTP Data (SSL)
Port 990 = FTP Control (SSL)
In other cases the default setting should work without problems.
Zimbra Port
[root@mail ~]# firewall-cmd --permanent --add-port={25,80,110,143,443,465,587,993,995,5222,5223,9071,7071}/tcp success [root@mail ~]# firewall-cmd --reload
MySQL server port: TCP_IN: 3306
---------------------------------------X----------------------------------------------------
Allowing an ip in csf.allow.
csf -a 50.25.25.10
Removing an ip from csf.allow.
csf -ar 50.25.25.10
--------------------
Denying an ip and adding it to csf.deny.
csf -d 50.31.1.52
Removing an ip from csf.deny.
csf -dr 50.31.1.52
-----------------------
Remove all entries in csf.deny.
csf -df
-----------------------
Blocking or allowing only certain countries from connecting to your server by entering the country code in CC_DENY or CC_ALLOW.
CC_DENY = "BZ,CN,US"
CC_ALLOW = "ID,PH,FR"
---------------
Limit the number of IP's kept in the /etc/csf/csf.deny file.
DENY_IP_LIMIT = "50"
Set the numbers to "0" for unlimited IP blocking (csf wont delete the old blocked IPs)
Code: [Select]
DENY_IP_LIMIT = "0"
Code: [Select]
DENY_TEMP_IP_LIMIT = "0"
----------
Enable SYN Flood Protection. This option configures iptables to offer some protection from tcp SYN packet DOS attempts.
SYNFLOOD = "1"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
Port Flood Protection. This option configures iptables to offer protection from DOS attacks against specific ports.
PORTFLOOD = 22;tcp;5;300,80;tcp;20;1
Means: 5 connections per IP-address per 300 seconds to the ssh server; and 20 connections per IP-address per second to the httpd server
---------
This option allows access from the following countries to specific ports listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP.
CC_ALLOW_PORTS = "QA, PH, SA, KG"
CC_ALLOW_PORTS_TCP = "21,22"
This option denies access from the following countries to specific ports listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
CC_DENY_PORTS = "CN"
CC_DENY_PORTS_TCP = "22, 327"
Don't Block IP addresses that are in the csf.allow files.
IGNORE_ALLOW = "1"
Allow Incoming and Outgoing ICMP.
ICMP_IN = "1"
ICMP_OUT = "1"
Send the Su and SSH Login log by Email.
LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"
LF_ALERT_TO = “admin@worldcm.net”
LF_ALERT_FROM = “firewall@worldcm.net”
Allowing third party block list checking:
# Enable IP range blocking using the DShield Block List at LF_DSHIELD = “86400″ # Enable IP range blocking using the Spamhaus DROP List at LF_SPAMHAUS = “86400″ # Enable IP range blocking using the BOGON List at LF_BOGON = “86400″
-------------------------------------------------------------------------------------------------------------------------------------------
#Set the PERM setting to "1" to permanently block the IP address, or LF_TRIGGER_PERM can be set to
#value greater than "1" and the IP address will be blocked temporarily for that value in seconds.
LF_TRIGGER_PERM = 1
#Block the users on the 22, 21 and 25 port after a 3 failed connection attempt.
LF_SSHD = 3
LF_FTPD = 3
LF_SMTPAUTH = 3
#To prevent Distributed Attacks from making multiple failed attempts from different IP addresses. You can set #the minimum amount of unique IP addresses allowed to log in with the same credentials is 3 as below:
LF_DISTATTACK = 1
LF_DISTATTACK_UNIQ = 3
# Distributed FTP Logins. This option will keep track of successful FTP logins.
# If the number of successful logins to an individual account is at least
# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
# then all of the IP addresses will be blocked
LF_DISFTP = 1
LF_DISTFTP_UNIQ = 3
LF_DISTFTP_PERM = 1
#Limit the number of connections allowed from a single host
CT_LIMIT = "20"
CT_LIMIT = "0" # set this no limites for IP host
#Connection Tracking interval in seconds.
CT_INTERVAL = "60"
#Set this to 1 to block ips permanent.
CT_PERMANENT = 1
CT_PERMANENT = "0" # set This - will be temporary and will be cleared after CT_BLOCK_TIME seconds
#Sent email alerts for each blocked ip.
CT_EMAIL_ALERT =0
#If you opt for temporary IP blocks for CT, then the following is the interval
#in seconds that the IP will remain blocked
CT_BLOCK_TIME = 1800
#The number of connections to port 80 exceeds 30 in five seconds, all the new connections will be blocked.
PORTFLOOD = "80;tcp;30;5"
PORTFLOOD = "" # set This -
Prevent DDOS Attacks
Use our following tutorial to enable web UI for CSF firewall on Linux system.
https://tecadmin.net/how-to-enable-csf-firewall-web-ui/
Configure CSF+LDF to prevent server from DDOS attacks. To enable it edit /etc/csf/csf.conf and update following settings.
Total number of connections allowed from single host. To disable this feature, set this to 0
CT_LIMIT = "20"
Connection Tracking interval in seconds.
CT_INTERVAL = "30"
Sent email alerts for each blocked ip.
CT_EMAIL_ALERT =1
Set this to 1 to block ips permanent.
CT_PERMANENT = 1
If you opt for temporary IP blocks for CT, then the following is the interval
in seconds that the IP will remained blocked
CT_BLOCK_TIME = 1800
If you only want to count specific ports (e.g. 22,23,80,443) then add the ports. else keep it empty to check all ports
CT_PORTS = "22,23,80,443"
Basic DoS/DDoS Mitigation
CT_LIMIT = 150 # defult = 0[set the limit on connections per IP address]
CT_EMAIL_ALERT = 0
Port Flood Settings
SYNFLOOD = 1 # defult = 0
SYNFLOOD_RATE = 75/s # defult = 4/s [SYNFLOOD_RATE is the number of SYN packets to accept per IP, per second. For the purposes of this tutorial, we’ll be using a value of “75/s” on the assumption that a DoS attack is in progress.
SYNFLOOD_BURST = 25 #defult = 150 [ the number of times the IP can hit the rate limit before being blocked in the firewall. A setting of 25 works for our purposes
# Allow incoming PING
ICMP_IN = “1”
# Set the per IP address incoming ICMP packet rate
# To disable rate limiting set to “0”
ICMP_IN_RATE = “1/s”
# Allow outgoing PING
ICMP_OUT = “1”
TRIGGERING AN IP BLOCK
If you set LF_TRIGGER to "0" the value of each trigger is the number of failures against that application that will trigger lfd to block the IP address (see below: Application Triggers).
If you set LF_TRIGGER to a value greater than "0" then the following application triggers are simply on or off ("0" or "1") and the value of LF_TRIGGER is the total cumulative number of failures that will trigger lfd to block the IP address.
Example: when setting LF_TRIGGER to "20", an offending IP address will be blocked when any of the enabled application triggers reach "20" failed logins.
Setting any of the application triggers to "0" disables it (see below: application triggers).
If LF_TRIGGER is greater than "0" then LF_TRIGGER_PERM can be set to "1" to permanently block the IP address, or LF_TRIGGER_PERM can be set to a value greater than "1" and the IP address will be blocked temporarily for that value in seconds.
Example: when setting LF_TRIGGER_PERM = "1" => the IP is blocked permanently
When setting LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 3600 seconds (1 hour)
If LF_TRIGGER is "0", then the application LF_[application]_PERM value works in the same way as above and LF_TRIGGER_PERM serves no function.
To only block access to the failed application instead of a complete block for an ip address, you can set the following to "1", but LF_TRIGGER must be set to "0" with specific application[*] trigger levels also set appropriately.
APPLICATION TRIGGERS
LF_SSHD = Default: 5 [0-100] LF_SSHD_PERM = 1
LF_SSHD = The number of logins before an IP block occurs.
LF_SSHD_PERM = The block duration. A value of "1" means a permanent block, a higher value represents a temporary IP block defined in seconds.
For SMTP, FTP and login Password tracking, etc. the same principles apply.
4.2 E-MAIL ALERTS
You can specify an email address to report errors from the Login Failure Daemon.
LF_ALERT_TO = "" LF_ALERT_FROM = "" LF_ALERT_SMTP = ""
CSF Configuration Files
Wide Configuration File
/etc/csf/csf.conf
IP addresses will be allowed through iptables.
/etc/csf/csf.allow
IP addresses will be blocked in iptables.
/etc/csf/csf.deny
List of port and/or IP address assignments to direct traffic to alternative ports/IP addresses.
/etc/csf/csf.redirect
List of Reseller accounts that you want to allow access to limited csf functionality.
/etc/csf/csf.resellers
List of directories and files that you want to be alerted when they change.
/etc/csf/csf.dirwatch
List of log files for the UI System Log Watch and Search features.
/etc/csf/csf.syslogs
List of log files for the LOGSCANNER feature.
/etc/csf/csf.logfiles
List of regular expressions for the LOGSCANNER feature.
/etc/csf/csf.logignore
File contains definitions to IP BLOCK lists.
/etc/csf/csf.blocklists
IP addresses will be ignored by all lfd checks.
/etc/csf/csf.ignore
List of executables (exe) command lines (cmd) and usernames (user) that lfd process tracking will ignore.
/etc/csf/csf.pignore
List of domains and partial domain that lfd process tracking will ignore based on reverse and forward DNS lookups.
/etc/csf/csf.rignore
List of files that lfd directory watching will ignore.
/etc/csf/csf.fignore
List of files that LF_SCRIPT_ALERT will ignore.
/etc/csf/csf.signore
List of usernames that are ignored during the LF_EXPLOIT.
/etc/csf/csf.suignore
List of user ID’s (UID) that are ignored by the User ID Tracking feature.
/etc/csf/csf.uidignore
List of usernames and local IP addresses that RT_LOCALRELAY_ALERT will ignore.
/etc/csf/csf.mignore
This file is to list any server configured IP addresses for which you don’t want to allow any incoming or outgoing traffic.
/etc/csf/csf.sips
The following FQDN’s will be allowed through the firewall. This is controlled by lfd which checks the DNS resolution of the FQDN and adds the ip address into the ALLOWDYNIN and ALLOWDYNOUT iptables chains.
/etc/csf/csf.dyndns
This file contains the usernames which should be allowed to log via syslog/rsyslog.
/etc/csf/csf.syslogusers
The following IP addresses will allow EXIM to advertise SMTP AUTH.
/etc/csf/csf.smtpauth
This file configures optional entries for the IP checking against RBLs within csf.
/etc/csf/csf.rblconf
Enjoy it!
This article covers some useful CSF SSH Command Line Commands in a "cheat sheet" format.
gg
gg
pppp
SSH CSF - ConfigServer Commands
rated 17 times [
17] [ 0] / comments: 2 / hits: 1616 / 2 years ago, wed, dec 28, 2016, 04:11:52
Common SSH commands for CSF [ConfigServer]
**********************************************
----------