--------

# systemctl restart {csf,lfd} 

# systemctl enable {csf,lfd} 

# systemctl is-active {csf,lfd}

perl -pi -w -e "s/TESTING = \"1\"/TESTING = \"0\"/" /etc/csf/csf.conf perl -pi -w -e "s/SMTP_BLOCK = \"0\"/SMTP_BLOCK = \"1\"/" /etc/csf/csf.conf perl -pi -w -e "s/LF_DSHIELD = \"0\"/LF_DSHIELD = \"86400\"/" /etc/csf/csf.conf perl -pi -w -e "s/LF_SPAMHAUS = \"0\"/LF_SPAMHAUS = \"86400\"/" /etc/csf/csf.conf perl -pi -w -e "s/LF_DIRWATCH = \"300\"/LF_DIRWATCH = \"120\"/" /etc/csf/csf.conf perl -pi -w -e "s/LF_DIRWATCH_DISABLE = \"0\"/LF_DIRWATCH_DISABLE = \"1\"/" /etc/csf/csf.conf perl -pi -w -e "s/PT_SKIP_HTTP = \"0\"/PT_SKIP_HTTP = \"1\"/" /etc/csf/csf.conf perl -pi -w -e "s/PT_USERPROC = \"10\"/PT_USERPROC = \"15\"/" /etc/csf/csf.conf perl -pi -w -e "s/CC_DENY = \"\"/CC_DENY = \"CN,KR,HK,IN,ID,MY,NG,PK,RU,SA,TW,SY,AE\"/" /etc/csf/csf.conf perl -pi -w -e "s/IGNORE_ALLOW = \"0\"/IGNORE_ALLOW = \"1\"/" /etc/csf/csf.conf

Directory structure:  /etc/csf/           - configuration files /var/lib/csf/       - temporary data files /usr/local/csf/bin/ - scripts /usr/local/csf/lib/ - perl modules and static data /usr/local/csf/tpl/ - email alert templates

Remove all permanent IP blocks

#  csf -df

# /usr/sbin/csf -df

Cron Jobs: crontab -e

0 10 15 * * csf -df

0 10 15 * * /usr/sbin/csf -df

Flush all IP addresses from temporary list.

# csf -tf

#   vi /etc/csf/csf.conf

  1 – To enable

  0 – To disable

restart csf.

   csf -r

# grep -ni email /etc/csf/csf.conf

Don't Block IP addresses that are in the csf.allow files.

IGNORE_ALLOW = "1"

disable email alerts

   1070 # Send an email alert if an IP address is blocked by one of the [*] triggers

   1071    LF_EMAIL_ALERT = "0"

Enable only IP Block and ssh notification email alerts in CSF firewall

   LF_ALERT_TO= "0"

Stop CSF Plugin from emailing alerts about Permanent Block IP?

   LF_PERMBLOCK_ALERT = "0"

Enable/Disable Port Scanning Email Alert

  PS_EMAIL_ALERT = "0"

for Managing Root User Emails via /root/.forward file or via /etc/csf/csf.conf CSF config file reporting settings for LF_ALERT_TO and LF_ALERT_FROM

Setting Email Address 

 LF_ALERT_TO = "csf@worldcm.net"       [ csf will got this mail]

receive email from CSF

 LF_ALERT_FROM = " "

csf not show country

Block incoming and outgoing conections except of whitelisted IPs is to issue the following: 

csf -d  0.0.0.0/0     # "block all connections"

• tcp defines the protocol we're using. MySQL uses TCP sockets.

• in defines that this rule pertains to inbound traffic or traffic coming into your system from an external one.

• d=21 is the port number which FTP uses by default.

• s=195.24.75.5 is the IP address we want to allow into our system on the port and protocol specified above (corresponds to portal4321.vps22.hostingserver.com).

Save the file. Restart CSF using csf -r.

 want to allow IP address 192.0.2.0 to access MySQL on port 2222, add this to the csf.allow file.

tcp:in:d=222:s=192.0.2.0

tcp:in:d=3306:s=192.0.2.0

tcp|in|d=22|s=192.168.0.1 

CSF Deny an IP Range Exclude specific IP on specific port

 to csf.deny:  want to "Block all other access to port 22 / ssh" 

tcp|in|d=22|s=0.0.0.0 

block IPs by using: # vi /etc/csf/csf.deny

0.0.0.0/0

You can block outgoing traffic to specific IP and port by entering this in csf.deny: 

                                               --------------------

----------------------------------------------------------------------------------

# TCP connections inbound to port 3306 from IP 11.22.33.44

tcp|in|d=3306|s=11.22.33.44

# TCP connections outbound to port 22 on IP 11.22.33.44

tcp|out|d=22|d=11.22.33.44

Note| If omitted, the default protocol is set to "tcp", the default connection

direction is set to "in", so|

# TCP connections inbound to port 22 from IP 44.33.22.11

d=22|s=44.33.22.11

# TCP connections outbound to port 80 from UID 99

tcp|out|d=80||u=99

# ICMP connections inbound for type ping from 44.33.22.11

icmp|in|d=ping|s=44.33.22.11

# TCP connections inbound to port 22 from Dynamic DNS address

# www.configserver.com (for use in csf.dyndns only)

tcp|in|d=22|s=www.configserver.com

LF_TRIGGER to "20", an offending IP address will be blocked when any of the enabled application triggers reach "20" failed logins. 

LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour 

 how to disable notifications

Stop Emails containing “Suspicious process running under use X  

 ALL:    LF_ALERT settings are set to 0

Edit # vi /etc/csf/csf.conf and find PT_USERMEM and PT_USERT

PT_USERMEM = "0"  PT_USERTIME = "0"      # [PT_USERTIME = 1800]

PT_LIMIT = 0                      # [ stop Suspicious process alert emails  PT_LIMIT= 60 ]

LF_SSH_EMAIL_ALERT = 0     # [stop ssh login alert]

CSF/LFD Stop Emails containing “Suspicious process running under use X

LF_EMAIL_ALERT = 0

PT_USERMEM = 0

PT_USERTIME = 0

Suspicious File Alert  [ list of files that lfd directory watching will ignore]

#  vim /etc/csf/csf.fignore 

 /tmp/apache-build/.*

 /tmp/php-build/.*

             OR

 /tmp/.*

               ------------------

PT_LIMIT = "0"

PT_DELETED = "1"

Suspicious SPAMD CHILD process

[root@mail csf]# vi /etc/csf/csf.pignore        #Add below the line at the end of file

cmd:spamd child

Disabling LFD Notifications 

LF_PERMBLOCK_ALERT”= 0

## server check

FASTSTART = "1" [ Defult-1 ]

SYSLOG_CHECK  = 600 [ Defult-0 ]

URLGET = 2     [ Defult-1 ]

AUTO_UPDATES = on   [Defult-off]

DURATION OF IP BLOCK Time

The PS_PERMANENT switch determines whether a block will be temporary or permanent. In case the IP block is temporary, the duration of the IP block can be defined under PS_BLOCK_TIME.

 PORT SCAN TRACKING

PS_INTERVAL is set at the default value of 300 and PS_LIMIT is set at 10, any IP address that is logged more than 10 times over a period of 300 seconds will be blocked. 

Port Scan Tracking. This feature tracks port blocks logged by iptables [elaborate DDOS]

PS_INTERVAL = "300"

PS_LIMIT = "20"

If you want to disable, yes you can.

PS_INTERVAL = "0"

PS_INTERVAL  = 0   # defult 300

 have to  DROP_IP_LOGGING = "0" it says and DROP_LOGGING = "1".

You could also set the interval from 300 back to 120 for exampl

DURATION OF IP BLOCK

The PS_PERMANENT switch determines whether a block will be temporary or   permanent. In case the IP block is temporary, the duration of the IP block can be defined under PS_BLOCK_TIME.

Limiting Incoming Connections by Source

Depending on the intended use of your server, you may want to limit incoming connections to a safe number on a port basis. To do so, open /etc/csf/csf.conf and search for CONNLIMIT. You can specify multiple port; connections pairs separated by commas. For example,

CONNLIMIT = "22;2,80;10"

This means, the maximum concurrent connections to port 80 (HTTP) from a single IP is 10 and to port 22 (ssh) per IP is 2.

Port Flood Protection. This option configures iptables to offer protection from DOS attacks against specific ports.

PORTFLOOD = 22;tcp;5;300,80;tcp;20;1

Means: 5 connections per IP-address per 300 seconds to the ssh server; and 20 connections per IP-address per second to the httpd server

PORTFLOOD = "80;tcp;30;5"

#The number of connections to port 80 exceeds 30 in five seconds, all the new connections will be blocked.

# Allow incoming 

PINGICMP_IN = “1″

# Set the per IP address incoming ICMP packet rate

# To disable rate limiting set to “0″ # ICMP_IN_RATE = "1/s"

ICMP_IN_RATE = “0″

# Allow outgoing PING

ICMP_OUT = “1″

# Set the per IP address outgoing ICMP packet rate

# To disable rate limiting set to “0″

ICMP_OUT_RATE = “0″

# Enable login failure detection daemon (lfd).

LF_DAEMON = “1″

Detect suspicious process #Set  Defult-0

PT_DELETED = "1"

# Enable syslog monitoring # Defult-0

SYSLOG_CHECK = "1800"

After save restart CSF by csf -r

# service lfd restart

# systemctl restart lfd

Enable 'RESTRICT_SYSLOG option check, LF_POP3D option check, LF_IMAPD option check, SYSLOG_CHECK option check, RESTRICT_UI option check, Check SSH PasswordAuthentication'.  This option helps prevent brute force attacks on your server services

RESTRICT_SYSLOG = "3"  LF_POP3D = "3" LF_POP3D_PERM = "1"   LF_IMAPD = "3" LF_IMAPD_PERM = "1"  SYSLOG_CHECK = "300"

# HTTP password protected directories

LF_HTACCESS = 5

LF_HTACCESS_PERM = 1

Edit  vi /etc/csf/csf.conf

# To enable this feature set the following to the checking interval in seconds

# (a value of 3600 would seem sensible). This option may increase server I/O

# load onto the server as it checks system binaries.

#

# To disable set to "0"

LF_INTEGRITY = "3600"

Here make the "LF_INTEGRITY=0" to disable it.

(Note: It is not recommended to disable the option LF_INTEGRITY you can ignore the above message as It always occurs after CPanel Upgrades and references files that were upgraded.)

CSF

SASL LOGIN authentication failed: UGFzc3dvcmQ6

• Enable login failure detection of SMTP AUTH connections

LF_SMTPAUTH = "3"

LF_SMTPAUTH_PERM = "1"

# Set the following to the minimum number of unique IP addresses that trigger

# LF_DISTATTACK

LF_DISTATTACK_UNIQ = "3"

# To disable set to "0"

LF_DISTSMTP = "1"

# Set the following to the minimum number of unique IP addresses that trigger

# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work

LF_DISTSMTP_UNIQ = "3"

# If this option is set to 1 the blocks will be permanent

# If this option is > 1, the blocks will be temporary for the specified number

# of seconds

LF_DISTSMTP_PERM = "1"

# Send an email alert if LF_DISTSMTP is triggered

LF_DISTSMTP_ALERT = "0"

# This is the interval during which a distributed FTP or SMTP attack is

# measured

LF_DIST_INTERVAL = "300"

---------------------------------------X-----------------------------------

Delete messages from .maildir/cur/ with custom subject [sub: lfd on mail]

# egrep -R -l "lfd on mail" | xargs rm -f

E-MAIL ALERTS

LF_ALERT_TO = "" LF_ALERT_FROM = "" LF_ALERT_SMTP = ""

DEFINE PORTS TO TRACK

The PS_PORTS directive defines the ports that should be tracked for port scanning. In case of servers handling multiple users and domains or servers with heavy FTP usage we recommend disabling port scan tracking for FTP. FTP generates a lot of connections and may be the cause of false IP blocks as a result.

We recommend the following if you do wish to enable Port Scan Tracking while facilitating multiple FTP users:

PS_PORTS = 0:19,22:988,991:65535,ICMP

The excluded ports here are

• • Port 20 = FTP Data

  • Port 21 = FTP Control

  • Port 989 = FTP Data (SSL)

  • Port 990 = FTP Control (SSL)

In other cases the default setting should work without problems.

Zimbra Port

[root@mail ~]# firewall-cmd --permanent --add-port={25,80,110,143,443,465,587,993,995,5222,5223,9071,7071}/tcp success [root@mail ~]# firewall-cmd --reload

MySQL server port:  TCP_IN: 3306

                                 ---------------------------------------X----------------------------------------------------

Allowing an ip in csf.allow.

csf -a 50.25.25.10

Removing an ip from csf.allow.

csf -ar 50.25.25.10

         -------------------- 

Denying an ip and adding it to csf.deny.

csf -d 50.31.1.52

Removing an ip from csf.deny.

csf -dr 50.31.1.52

    -----------------------

Remove all entries in csf.deny.

csf -df

   -----------------------

Blocking or allowing only certain countries from connecting to your server by entering the country code in CC_DENY or CC_ALLOW.

CC_DENY = "BZ,CN,US"

CC_ALLOW = "ID,PH,FR"

          ---------------

Limit the number of IP's kept in the /etc/csf/csf.deny file.

DENY_IP_LIMIT = "50"

Set the numbers to "0" for unlimited IP blocking (csf wont delete the old blocked IPs)

Code: [Select]

DENY_IP_LIMIT = "0"

Code: [Select]

DENY_TEMP_IP_LIMIT = "0"

     ----------

Enable SYN Flood Protection. This option configures iptables to offer some protection from tcp SYN packet DOS attempts.

SYNFLOOD = "1"

SYNFLOOD_RATE = "100/s"

SYNFLOOD_BURST = "150"

Port Flood Protection. This option configures iptables to offer protection from DOS attacks against specific ports.

PORTFLOOD = 22;tcp;5;300,80;tcp;20;1

Means: 5 connections per IP-address per 300 seconds to the ssh server; and 20 connections per IP-address per second to the httpd server

   ---------

This option allows access from the following countries to specific ports listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP.

CC_ALLOW_PORTS = "QA, PH, SA, KG"

CC_ALLOW_PORTS_TCP = "21,22"

This option denies access from the following countries to specific ports listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP

CC_DENY_PORTS = "CN"

CC_DENY_PORTS_TCP = "22, 327"

Don't Block IP addresses that are in the csf.allow files.

IGNORE_ALLOW = "1"

Allow Incoming and Outgoing ICMP.

ICMP_IN = "1"

ICMP_OUT = "1"

Send the Su and SSH Login log by Email.

LF_SSH_EMAIL_ALERT = "1"

LF_SU_EMAIL_ALERT = "1"

LF_ALERT_TO = “admin@worldcm.net” 

LF_ALERT_FROM = “firewall@worldcm.net”

Allowing third party block list checking:

   # Enable IP range blocking using the DShield Block List at    LF_DSHIELD = “86400″      # Enable IP range blocking using the Spamhaus DROP List at     LF_SPAMHAUS = “86400″      # Enable IP range blocking using the BOGON List at    LF_BOGON = “86400″

       -------------------------------------------------------------------------------------------------------------------------------------------

#Set the PERM setting to "1" to permanently block the IP address, or LF_TRIGGER_PERM can be set to

#value greater than  "1" and the IP address will be blocked temporarily for that value in seconds.

LF_TRIGGER_PERM = 1

#Block the users on the 22, 21 and 25 port after a 3 failed connection attempt.

LF_SSHD = 3

LF_FTPD = 3

LF_SMTPAUTH = 3

#To prevent Distributed Attacks from making multiple failed attempts from different IP addresses. You can set #the minimum amount of unique IP addresses allowed to log in with the same credentials is 3 as below:

LF_DISTATTACK = 1

LF_DISTATTACK_UNIQ = 3

# Distributed FTP Logins. This option will keep track of successful FTP logins.

# If the number of successful logins to an individual account is at least

# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,

# then all of the IP addresses will be blocked

LF_DISFTP = 1

LF_DISTFTP_UNIQ = 3

LF_DISTFTP_PERM = 1

#Limit the number of connections allowed from a single host

CT_LIMIT = "20"

CT_LIMIT = "0"    # set this no limites for IP host

#Connection Tracking interval in seconds.

CT_INTERVAL = "60"

#Set this to 1 to block ips permanent.

CT_PERMANENT = 1

CT_PERMANENT = "0"      # set This - will be temporary and will be cleared after CT_BLOCK_TIME seconds

#Sent email alerts for each blocked ip.

CT_EMAIL_ALERT =0

#If you opt for temporary IP blocks for CT, then the following is the interval

#in seconds that the IP will remain blocked

CT_BLOCK_TIME = 1800

#The number of connections to port 80 exceeds 30 in five seconds, all the new connections will be blocked.

PORTFLOOD = "80;tcp;30;5"

PORTFLOOD = ""  # set This -

Prevent DDOS Attacks

Use our following tutorial to enable web UI for CSF firewall on Linux system.

https://tecadmin.net/how-to-enable-csf-firewall-web-ui/

Configure CSF+LDF to prevent server from DDOS attacks. To enable it edit /etc/csf/csf.conf and update following settings.

Total number of connections allowed from single host. To disable this feature, set this to 0

CT_LIMIT = "20"

Connection Tracking interval in seconds.

CT_INTERVAL = "30"

Sent email alerts for each blocked ip.

CT_EMAIL_ALERT =1

Set this to 1 to block ips permanent.

CT_PERMANENT = 1

If you opt for temporary IP blocks for CT, then the following is the interval

in seconds that the IP will remained blocked

CT_BLOCK_TIME = 1800

If you only want to count specific ports (e.g. 22,23,80,443) then add the ports. else keep it empty to check all ports

CT_PORTS = "22,23,80,443"

Basic DoS/DDoS Mitigation 

CT_LIMIT = 150            # defult = 0[set the limit on connections per IP address] 

CT_EMAIL_ALERT = 0 

Port Flood Settings

SYNFLOOD  = 1                     # defult = 0

SYNFLOOD_RATE  = 75/s      # defult = 4/s [SYNFLOOD_RATE is the number of SYN packets to accept per IP, per second. For the purposes of this tutorial, we’ll be using a                                                        value of “75/s” on the assumption that a DoS attack is in progress.

SYNFLOOD_BURST  = 25       #defult = 150 [ the number of times the IP can hit the rate limit before being blocked in the firewall. A setting of 25 works for our purposes

# Allow incoming PING

ICMP_IN = “1”

# Set the per IP address incoming ICMP packet rate

# To disable rate limiting set to “0”

ICMP_IN_RATE = “1/s”

# Allow outgoing PING

ICMP_OUT = “1”

TRIGGERING AN IP BLOCK

If you set LF_TRIGGER to "0" the value of each trigger is the number of failures against that application that will trigger lfd to block the IP address (see below: Application Triggers).

If you set LF_TRIGGER to a value greater than "0" then the following application triggers are simply on or off ("0" or "1") and the value of LF_TRIGGER is the total cumulative number of failures that will trigger lfd to block the IP address.

Example: when setting LF_TRIGGER to "20", an offending IP address will be blocked when any of the enabled application triggers reach "20" failed logins.

Setting any of the application triggers to "0" disables it (see below: application triggers).

If LF_TRIGGER is greater than "0" then LF_TRIGGER_PERM can be set to "1" to permanently block the IP address, or LF_TRIGGER_PERM can be set to a value greater than "1" and the IP address will be blocked temporarily for that value in seconds.

Example: when setting LF_TRIGGER_PERM = "1" => the IP is blocked permanently

When setting LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 3600 seconds (1 hour)

If LF_TRIGGER is "0", then the application LF_[application]_PERM value works in the same way as above and LF_TRIGGER_PERM serves no function.

To only block access to the failed application instead of a complete block for an ip address, you can set the following to "1", but LF_TRIGGER must be set to "0" with specific application[*] trigger levels also set appropriately.

APPLICATION TRIGGERS

LF_SSHD = Default: 5 [0-100] LF_SSHD_PERM = 1

LF_SSHD = The number of logins before an IP block occurs.

LF_SSHD_PERM = The block duration. A value of "1" means a permanent block, a higher value represents a temporary IP block defined in seconds.

For SMTP, FTP and login Password tracking, etc. the same principles apply.

4.2 E-MAIL ALERTS

You can specify an email address to report errors from the Login Failure Daemon.

LF_ALERT_TO = "" LF_ALERT_FROM = "" LF_ALERT_SMTP = ""

CSF Configuration Files

Wide Configuration File

/etc/csf/csf.conf

IP addresses will be allowed through iptables.

/etc/csf/csf.allow

IP addresses will be blocked in iptables.

/etc/csf/csf.deny

List of port and/or IP address assignments to direct traffic to alternative ports/IP addresses.

/etc/csf/csf.redirect

List of Reseller accounts that you want to allow access to limited csf functionality.

/etc/csf/csf.resellers

List of directories and files that you want to be alerted when they change.

/etc/csf/csf.dirwatch

List of log files for the UI System Log Watch and Search features.

/etc/csf/csf.syslogs

List of log files for the LOGSCANNER feature.

/etc/csf/csf.logfiles

List of regular expressions for the LOGSCANNER feature.

/etc/csf/csf.logignore

File contains definitions to IP BLOCK lists.

/etc/csf/csf.blocklists

IP addresses will be ignored by all lfd checks.

/etc/csf/csf.ignore

List of executables (exe) command lines (cmd) and usernames (user) that lfd process tracking will ignore.

/etc/csf/csf.pignore

List of domains and partial domain that lfd process tracking will ignore based on reverse and forward DNS lookups.

/etc/csf/csf.rignore

List of files that lfd directory watching will ignore.

/etc/csf/csf.fignore

List of files that LF_SCRIPT_ALERT will ignore.

/etc/csf/csf.signore

List of usernames that are ignored during the LF_EXPLOIT.

/etc/csf/csf.suignore

List of user ID’s (UID) that are ignored by the User ID Tracking feature.

/etc/csf/csf.uidignore

List of usernames and local IP addresses that RT_LOCALRELAY_ALERT will ignore.

/etc/csf/csf.mignore

This file is to list any server configured IP addresses for which you don’t want to allow any incoming or outgoing traffic.

/etc/csf/csf.sips

The following FQDN’s will be allowed through the firewall. This is controlled by lfd which checks the DNS resolution of the FQDN and adds the ip address into the ALLOWDYNIN and ALLOWDYNOUT iptables chains.

/etc/csf/csf.dyndns

This file contains the usernames which should be allowed to log via syslog/rsyslog.

/etc/csf/csf.syslogusers

The following IP addresses will allow EXIM to advertise SMTP AUTH.

/etc/csf/csf.smtpauth

This file configures optional entries for the IP checking against RBLs within csf.

/etc/csf/csf.rblconf

Enjoy it!

This article covers some useful CSF SSH Command Line Commands in a "cheat sheet" format.

**********************************************

----------