3-Basic

-------------

Testing mode - TESTING

Enable firewall testing mode. This option will enable a CRON job that will clear iptables when you start the firewall. This should be enabled until you are sure that the firewall works. The login failure daemon will not start while this is enabled. Make sure to disable this option and restart the firewall after everything is configured correctly.

Default: 1 Range: 0-1

Testing interval - TESTING_INTERVAL

The testing interval in minutes when the CRON job will clear iptables. This option uses the servers system clock so the CRON job will run past the hour and not from when you issue the firewall start command.

Default: 5 Range: 1-60

Restrict syslog - RESTRICT_SYSLOG

Syslog and rsyslog are vulnerable to spoofing (they allow end-users to log messages to some system logs via the same unix socket that other local services use). This option can disable all LFD features that rely on syslog and rsyslog logs.

Default: 2 Range: 0-3

Restrict syslog group - RESTRICT_SYSLOG_GROUP

This setting is used if RESTRICT_SYSLOG is set to "Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP". It restricts write access to the syslog/rsyslog unix socket(s). The group must not already exist in /etc/groups before setting RESTRICT_SYSLOG to 3, so set the option to a unique name for the server. Using this option will prevent some legitimate logging, e.g. end-user cronjob logs.

Default: mysyslog

Restrict UI - RESTRICT_UI

Restricts the ability to modify some firewall settings from within the user interface. If the panel interface was compromised these restricted options could be used to further compromise the server.

Default: 0

Auto updates - AUTO_UPDATES

Enable firewall auto updates. This option adds a daily CRON job that will update the firewall and login failure daemon automatically if an update is available.

Default: 1 Range: 0-1

SMTP Settings

Block outgoing SMTP - SMTP_BLOCK

Block outgoing SMTP except for root, qmail/postfix and mailman. This forces scripts/users to use the qmail/postfix binary instead of sockets access. This option requires the iptables ipt_owner/xt_owner module to be loaded.

Default: 0 Range: 0-1

Allow local connections - SMTP_ALLOWLOCAL

Allow outgoing SMTP connections to the loopback device on port 25 (If SMTP_BLOCK is enabled).

Default: 1 Range: 0-1

SMTP ports - SMTP_PORTS

SMTP ports to block. You should list all ports that qmail/postfix is configured to listen on.

Default: 25,465,587

SMTP redirect - SMTP_REDIRECT

Redirect outgoing SMTP connections destined for remote servers for non-bypass users to the local SMTP server to force local relaying of email. Such email may require authentication (SMTP AUTH). Default: 25,465,587

SMTP allowed users - SMTP_ALLOWUSER

Allow the following comma separated users to bypass SMTP_BLOCK. Note: root user is always allowed.

Default: qmaild,qmaill,qmailp,qmailq,qmailr,qmails,postfix

SMTP allowed groups - SMTP_ALLOWGROUP

Allow the following comma separated groups to bypass SMTP_BLOCK. Note: root group is always allowed.

Default: qmail,nofiles,postfix,postdrop,mail,mailman

Port Flood Settings

Synflood Protection

SYN flood protection - SYNFLOOD

Enable SYN Flood Protection. This option configures iptables to offer some protection from tcp SYN packet DOS attempts. This option will slow down all new connections from any IP address to the server if triggered so it should only be enabled if you are under a SYN flood attack.

Default: 0 Range: 0-1

SYN flood rate - SYNFLOOD_RATE

The maximum average matching rate.

Default: 100/s

SYN flood burst - SYNFLOOD_BURST

The maximum initial number of packets to match.

Default: 150

Login Failure Blocking Triggers

Trigger - LF_TRIGGER

Login failure trigger blocking is application specific. If you set LF_TRIGGER to 0 the value of each trigger is the number of failures against that application that will trigger the login failure daemon to block the IP address. If you set LF_TRIGGER to a value greater than 0 then the application triggers are simply on or off (0 or 1) and the value of LF_TRIGGER is the total cumulative number of failures that will trigger the login failure daemon to block the IP address. Set the application trigger to 0 disable it.

Default: 0 Range: 0-100

Trigger Block time - LF_TRIGGER_PERM

If LF_TRIGGER is greater than 0 then LF_TRIGGER_PERM can be set to 1 to permanently block the IP address, or LF_TRIGGER_PERM can be set to a value greater than 1 and the IP address will be blocked temporarily for that value in seconds.

Default: 1 Range: 0-604800

SSHD trigger - LF_SSHD

Enable login failure detection of sshd connections.

Default: 5 Range: 0-100

SSHD trigger block time - LF_SSHD_PERM

Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).

Default: 1 Range: 0-604800

FTPD trigger - LF_FTPD

Enable login failure detection of FTP connections.

Default: 10 Range: 0-100

FTPD trigger block time - LF_FTPD_PERM

Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).

Default: 1 Range: 0-604800

SMTPAUTH trigger - LF_SMTPAUTH

Enable login failure detection of SMTP AUTH connections.

Default: 5 Range: 0-100

SMTPAUTH trigger block time - LF_SMTPAUTH_PERM

Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).

Default: 1 Range: 0-604800

POP3D trigger - LF_POP3D

Enable login failure detection of POP3 connections.

Default: 10 Range: 0-100

POP3D trigger block time - LF_POP3D_PERM

Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).

Default: 1 Range: 0-604800

IMAPD trigger - LF_IMAPD

Enable login failure detection of IMAP connections.

Default: 10 Range: 0-100

IMAPD trigger block time - LF_IMAPD_PERM

Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).

Default: 1 Range: 0-604800

Htaccess trigger - LF_HTACCESS

Enable login failure detection of Apache .htpasswd connections.

Default: 5 Range: 0-100

Htaccess trigger block time - LF_HTACCESS_PERM

Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).

Default: 1 Range: 0-604800

ModSecurity trigger - LF_MODSEC

Enable failure detection of repeated Apache ModSecurity rule triggers.

Default: 5 Range: 0-100

ModSecurity trigger block time - LF_MODSEC_PERM

Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).

Default: 1 Range: 0-604800

Mod_qos trigger - LF_QOS

Enable detection of repeated Apache mod_qos rule triggers.

Default: 0 Range: 0-100

Mod_qos trigger block time - LF_QOS_PERM

Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).

Default: 1 Range: 0-604800

Suhosin trigger - LF_SUHOSIN

Enable detection of repeated Suhosin alerts.

Default: 0 Range: 0-100

Suhosin trigger block time - LF_SUHOSIN_PERM

Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).

Default: 1 Range: 0-604800

BIND trigger - LF_BIND

Enable detection of repeated BIND denied requests.

Default: 0 Range: 0|60-1000

BIND trigger block time - LF_BIND_PERM

Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).

Default: 1 Range: 0-604800

Apache 404 trigger - LF_APACHE_404

Track of the number of File does not exist 404 errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0.

Default: 0 Range: 0|60-1000

Apache 404 trigger block time - LF_APACHE_404_PERM

Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).

Default: 3600 Range: 0-604800

Apache 403 trigger - LF_APACHE_403

Track of the number of client denied by server configuration 403 errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0.

Default: 0 Range: 0|60-1000

Apache 403 trigger block time - LF_APACHE_403_PERM Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).

Default: 3600 Range: 0-604800

Apache 401 trigger - LF_APACHE_401

Track of the number of HTTP Error 401 Unauthorized errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0.

Default: 0 Range: 0|60-1000

Apache 401 trigger block time - LF_APACHE_401_PERM Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).

Default: 3600 Range: 0-604800

Login Failure Blocking

Block access to failed app only - LF_SELECT

Only block access to the failed application instead of a blocking the IP address completely. LF_TRIGGER must be set to 0 with application trigger levels also set appropriately.

Default: 0 Range: 0-1

System exploit check interval - LF_EXPLOIT

Perform a series of tests to send an alert in case a possible server compromise is detected. To enable this option set the following to the checking interval in seconds. To disable this option set to 0.

Default: 300 Range: 0|6-86400

System exploit checks to ignore - LF_EXPLOIT_IGNORE

List of system exploit checks that LF_EXPLOIT will ignore (comma separated).

Default: empty

Failure tracking interval - LF_INTERVAL

The time interval in seconds to track login and other LF_ failures within.

Default: 3600 Range: 60-86400

Parse log file interval - LF_PARSE

The number of seconds that the login failure daemon process sleeps before processing the log file entries and checking whether other events need to be triggered.

Default: 5 Range: 5-20

Flush reports interval - LF_FLUSH

The interval in seconds that is used to flush reports of usernames, files, and pids. This helps persistent problems to be reported properly.

Default: 3600 Range: 3600-86400

Repeat block interval - LF_REPEATBLOCK

The number of times to deny an already blocked IP address. To disable this option set to 0

Default: 0 Range: 0-5

Block inbound traffic only - LF_BLOCKINONLY

Enable the blocking of inbound traffic only for blocked IP addresses (not recomme

Reporting Settings

To: field for all alert emails - LF_ALERT_TO

This option will override the configured To: field in all login failure daemon alert emails. Leave this option empty to use the To: field setting in each alert template.

Default: empty

From: field for all alert emails - LF_ALERT_FROM

This option will override the configured From: field in all lfd alert emails. Leave this option empty to use the From: field setting in each alert template.

Default: empty

Relaying SMTP server - LF_ALERT_SMTP

Normally the login failure daemon will send all alerts using the default MTA binary. To send using SMTP directly, you can set the following to a relaying SMTP server, e.g. 127.0.0.1. Leave this setting blank to use the default MTA.

Default: empty

Block reporting script - BLOCK_REPORT

The login failure daemon can run an external script when it performs an IP address block. This option is the full path of the external script which must be executable.

Default: empty

Unblock reporting script - UNBLOCK_REPORT

The login failure daemon can run an external script when script when a temporary block is unblocked. The following setting can be the full path of the external script which must be executable.

Default: empty

Network Abuse Reporting

X-ARF reports - X_ARF

Enable the sending of X-ARF reports. Only block alert messages will be sent. These reports are in a format accepted by many Netblock owners and should help them investigate abuse. Only enable this option after you have checked for false-positive block reports.

Default: 0 Range: 0-1

From: field for X-ARF reports - X_ARF_FROM

Set the email From: for X-ARF reports.

Default: empty

To: field for X-ARF reports - X_ARF_TO

Set the email To: for X-ARF reports.

Default: empty

X-ARF reports sent to abuse - X_ARF_ABUSE

Automatically send reports to the abuse contact where found. Note: You MUST set X_ARF_FROM to a valid email address for this option to work. This is so that the abuse contact can reply to the report. However, you should be aware that without manual checking you could be reporting innocent IP addresses, including your own clients, yourself and your own servers. We do not recommend enabling this option. Abuse reports should be checked and verified before being forwarded to the abuse contact.

Default: 0

Alerts

Login failure blocking alerts - LF_EMAIL_ALERT

Send an email alert if an IP address is blocked by one of the application triggers.

Default: 1 Range: 0-1

SSH login alerts - LF_SSH_EMAIL_ALERT

Send an email alert if anyone logs in successfully using SSH

Default: 1 Range: 0-1

SU alerts - LF_SU_EMAIL_ALERT

Send an email alert if anyone uses su to access another account.

Default: 1 Range: 0-1

Root console login alerts - LF_CONSOLE_EMAIL_ALERT

Send an email alert if anyone logs in successfully to root on the console.

Default: 0 Range: 0-1

Permblock blocking alerts - LF_PERMBLOCK_ALERT

Enable or disable email alerts for permanent blocks.

Default: 1 Range: 0-1

Netblock blocking alerts - LF_NETBLOCK_ALERT

Enable or disable email alerts for permanent blocks by network class.

Default: 1 Range: 0-1

Recaptcha alert - RECAPTCHA_ALERT

Send an email when an IP address successfully attempts to unblock themselves. This does not necessarily mean the IP was unblocked, only that the post-recaptcha unblock request was attempted. Default: 1

Log file flooding alerts - LOGFLOOD_ALERT

Send an email alert if log file flooding is detected. You should investigate the reported log file for the reason for the flooding if you receive this alert.

Default: 0 Range: 0-1

Portknocking alerts - PORTKNOCKING_ALERT

Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must also be enabled.

Default: 0 Range: 0-1

Tracking Alerts

Distributed FTP alerts - LF_DISTFTP_ALERT

Send an email alert if LF_DISTFTP is triggered.

Default: 1

Login tracking alerts - LT_EMAIL_ALERT

Send an email alert if an account exceeds LT_POP3D or LT_IMAPD logins per hour.

Default: 1 Range: 0-1

Connection tracking alerts - CT_EMAIL_ALERT

Send an email alert if an IP address is blocked due to connection tracking.

Default: 1 Range: 0-1

User process killing alerts - PT_USERKILL_ALERT

Email an alert if PT_USERKILL is triggered.

Default: 1 Range: 0-1

Port scan tracking alerts - PS_EMAIL_ALERT

Enable port scan tracking email alerts.

Default: 1 Range: 0-1

Account Tracking Alerts

Account creation alerts - AT_NEW

Send alert if a new account is created.

Default: 1 Range: 0-1

Account deletion alerts - AT_OLD

Send alert if an existing account is deleted.

Default: 1 Range: 0-1

Account password change alerts - AT_PASSWD

Send alert if an account password has changed.

Default: 1 Range: 0-1

Account UID change alerts - AT_UID

Send alert if an account uid has changed.

Default: 1 Range: 0-1

Account GID change alerts - AT_GID

Send alert if an account gid has changed.

Default: 1 Range: 0-1

Account directory change alerts - AT_DIR

Send alert if an account login directory has changed.

Default: 1 Range: 0-1

Account shell change alerts - AT_SHELL

Send alert if an account login shell has changed.

Default: 1 Range: 0-1

Temp to Perm Settings

Temp to perm blocking - LF_PERMBLOCK

Enable temporary to permanent IP blocking. This will permanently block IP addresses that have been temporarily blocked more than LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds.

Default: 1 Range: 0-1

Permanent block interval - LF_PERMBLOCK_INTERVAL

The interval in seconds before triggering a Permanent block. LF_PERMBLOCK_INTERVAL needs to be at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting (TTL) for blocked IPs, to be effective.

Default: 86400 Range: 3600-604800

Permanent block count - LF_PERMBLOCK_COUNT

The number of times before triggering a Permanent block.

Default: 4 Range: 1-20

Netblock Settings

Netblock blocking - LF_NETBLOCK

Permanently block IPs by network class. Permanently block classes of IP address where individual IP addresses within the same class LF_NETBLOCK_CLASS have already been blocked more than LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. This can help blocking DDOS attacks launched from within the same network class.

Default: 0 Range: 0-1

Netblock interval - LF_NETBLOCK_INTERVAL

The interval in seconds before triggering a Permanent block by network class.

Default: 86400 Range: 3600-604800

Netblock count - LF_NETBLOCK_COUNT

The number of times before triggering a Permanent block.

Default: 4 Range: 1-20

Netblock class - LF_NETBLOCK_CLASS

Care and consideration is required when blocking network classes A or B.

Default: C Range: A|B|C

Netblock blocking IPv6 - LF_NETBLOCK_IPV6

Enable IPv6 netblock blocking. Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24". Great care should be taken with IPV6 netblock ranges due to the large number of addresses involved.

Default: empty

Dynamic DNS Settings

Safe chain update - SAFECHAINUPDATE

Enable the creation of a new chain when updating all dynamic update chains, and insert it into the relevant LOCALINPUT/LOCALOUTPUT chain, then flush and delete the old dynamic chain and rename the new chain. This option should not be enabled on servers with long dynamic chains and low memory or Virtuozzo VPS servers with a restricted numiptent value.

Default: 0 Range: 0-1

Dynamic DNS update interval - DYNDNS

Allow access from dynamic DNS records by adding the FQDN records in /etc/csf/csf.dyndns and setting this option to the number of seconds to poll for a change in the IP address. If the IP address has changed iptables will be updated. Set the value to 0 to disable.

Default: 21600 Range: 0-86400

Dynamic DNS ignore IP addresses in LFD blocking - DYNDNS_IGNORE

Ignore DYNDNS IP addresses in login failure deamon blocking.

Default: 0 Range: 0-1

Global List Settings

Global list update interval - LF_GLOBAL

The interval in seconds when you want the login failure daemon to retrieve IP allow and deny lists. You do not have to specify both an allow and a deny file.

Default: 0 Range: 0|60-604800

Global allow list URL - GLOBAL_ALLOW The URL to a centralised copy of an IP allow list.

Default: empty

Global deny list URL - GLOBAL_DENY

The URL to a centralised copy of an IP deny list.

Default: empty

Global ignore list URL - GLOBAL_IGNORE

The URL to a centralised copy of an IP ignore list.

Default: empty

Global DynDNS List Settings

Global dynamic DNS list update interval - GLOBAL_DYNDNS_INTERVAL

The number of seconds to poll for a change in the IP address resolved from GLOBAL_DYNDNS.

Default: 600 Range: 60-86400

Global dynamic DNS list URL - GLOBAL_DYNDNS

The URL to a centralised copy of a dynamic DNS entries list.

Default: empty

Global dynamic DNS list ignore IP addresses in LFD blocking - GLOBAL_DYNDNS_IGNORE

Always ignore GLOBAL_DYNDNS IP addresses in login failure daemon blocking.

Default: 0 Range: 0-1

Block List Settings

Skip BOGON rules for these NICs - LF_BOGON_SKIP Do not apply BOGON rules these specific network interfaces (comma separated e.g eth1,eth2).

Default: empty

URL data retrieval client - URLGET

How to retrieve URL data.

HTTP::Tiny is much faster than LWP::UserAgent and is included in the CSF distribution.

LWP::UserAgent may have to be installed manually, but it can better support https:// URLs. We recommend setting this set to 2 for LWP::UserAgent as upgrades to CSF will be performed over SSL.

Default: 2 Range: 1-2

Directory Watching

Directory watching interval - LF_DIRWATCH_FILE

The interval in seconds to have the login failure daemon watch specified files or directories for changes. If a change is detected then an alert is sent.

Default: 0 Range: 0|30-86400

/tmp dir watching interval - LF_DIRWATCH

This tells the login failure daemon to check /tmp and /dev/shm directories for suspicious files. If a suspicious file is found an email alert is sent. One alert per file per LF_FLUSH interval is sent. To enable this feature set the following to the checking interval in seconds. To disable this option set to 0.

Default: 300 Range: 0|30-86400

/tmp watching file removal - LF_DIRWATCH_DISABLE

Enable the removal any suspicious files found during directory watching. These files will be appended to a tarball located in /etc/csf/suspicious.tar

Default: 0 Range: 0-1

Integrity checking interval - LF_INTEGRITY

The interval in seconds to have the login failure daemon compare md5sums of the servers OS binary application files from the time when the login failure daemon was started. If the md5sum of a monitored file is mismatched then an alert is sent. This option acts as an IDS (Intrusion Detection System) in detecting a possible root compromise.

Default: 3600 Range: 0|120-86400

Messenger Service

Messenger service - MESSENGER

Display a message to a blocked connecting IP address to inform the user that they are blocked by the firewall. The service is provided by two daemons running on ports providing either an HTML or TEXT message. The iptables module ipt_REDIRECT is required.

Default: 0 Range: 0-1

Use for temporary blocks - MESSENGER_TEMP

Show the message to temporary IP address blocks.

Default: 1 Range: 0-1

Use for permanent blocks - MESSENGER_PERM

Show the message permanent IP address blocks.

Default: 1 Range: 0-1

User account to run under - MESSENGER_USER

The user account to run the messenger service servers under. We recommend you use a specific non-privileged, non-shell account. If you are using a user other than csf you will have to add it manually eg. useradd csf -r -s /bin/false

Default: csf

Maximum child connections - MESSENGER_CHILDREN

The maximum concurrent connections allowed to each service server.

Default: 10 Range: 2-200

Rate limit for connections - MESSENGER_RATE

Limit the rate at which connections can be made to the messenger service servers. See the iptables man page for the correct --limit rate syntax.

Default: 100/s

Burst limit for connections - MESSENGER_BURST

The maximum initial number of packets to match.

Default: 150

---------