3-Basic
-------------
Testing mode - TESTING
Enable firewall testing mode. This option will enable a CRON job that will clear iptables when you start the firewall. This should be enabled until you are sure that the firewall works. The login failure daemon will not start while this is enabled. Make sure to disable this option and restart the firewall after everything is configured correctly.
Default: 1 Range: 0-1
Testing interval - TESTING_INTERVAL
The testing interval in minutes when the CRON job will clear iptables. This option uses the servers system clock so the CRON job will run past the hour and not from when you issue the firewall start command.
Default: 5 Range: 1-60
Restrict syslog - RESTRICT_SYSLOG
Syslog and rsyslog are vulnerable to spoofing (they allow end-users to log messages to some system logs via the same unix socket that other local services use). This option can disable all LFD features that rely on syslog and rsyslog logs.
Default: 2 Range: 0-3
Restrict syslog group - RESTRICT_SYSLOG_GROUP
This setting is used if RESTRICT_SYSLOG is set to "Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP". It restricts write access to the syslog/rsyslog unix socket(s). The group must not already exist in /etc/groups before setting RESTRICT_SYSLOG to 3, so set the option to a unique name for the server. Using this option will prevent some legitimate logging, e.g. end-user cronjob logs.
Default: mysyslog
Restrict UI - RESTRICT_UI
Restricts the ability to modify some firewall settings from within the user interface. If the panel interface was compromised these restricted options could be used to further compromise the server.
Default: 0
Auto updates - AUTO_UPDATES
Enable firewall auto updates. This option adds a daily CRON job that will update the firewall and login failure daemon automatically if an update is available.
Default: 1 Range: 0-1
SMTP Settings
Block outgoing SMTP - SMTP_BLOCK
Block outgoing SMTP except for root, qmail/postfix and mailman. This forces scripts/users to use the qmail/postfix binary instead of sockets access. This option requires the iptables ipt_owner/xt_owner module to be loaded.
Default: 0 Range: 0-1
Allow local connections - SMTP_ALLOWLOCAL
Allow outgoing SMTP connections to the loopback device on port 25 (If SMTP_BLOCK is enabled).
Default: 1 Range: 0-1
SMTP ports - SMTP_PORTS
SMTP ports to block. You should list all ports that qmail/postfix is configured to listen on.
Default: 25,465,587
SMTP redirect - SMTP_REDIRECT
Redirect outgoing SMTP connections destined for remote servers for non-bypass users to the local SMTP server to force local relaying of email. Such email may require authentication (SMTP AUTH). Default: 25,465,587
SMTP allowed users - SMTP_ALLOWUSER
Allow the following comma separated users to bypass SMTP_BLOCK. Note: root user is always allowed.
Default: qmaild,qmaill,qmailp,qmailq,qmailr,qmails,postfix
SMTP allowed groups - SMTP_ALLOWGROUP
Allow the following comma separated groups to bypass SMTP_BLOCK. Note: root group is always allowed.
Default: qmail,nofiles,postfix,postdrop,mail,mailman
Port Flood Settings
Synflood Protection
SYN flood protection - SYNFLOOD
Enable SYN Flood Protection. This option configures iptables to offer some protection from tcp SYN packet DOS attempts. This option will slow down all new connections from any IP address to the server if triggered so it should only be enabled if you are under a SYN flood attack.
Default: 0 Range: 0-1
SYN flood rate - SYNFLOOD_RATE
The maximum average matching rate.
Default: 100/s
SYN flood burst - SYNFLOOD_BURST
The maximum initial number of packets to match.
Default: 150
Login Failure Blocking Triggers
Trigger - LF_TRIGGER
Login failure trigger blocking is application specific. If you set LF_TRIGGER to 0 the value of each trigger is the number of failures against that application that will trigger the login failure daemon to block the IP address. If you set LF_TRIGGER to a value greater than 0 then the application triggers are simply on or off (0 or 1) and the value of LF_TRIGGER is the total cumulative number of failures that will trigger the login failure daemon to block the IP address. Set the application trigger to 0 disable it.
Default: 0 Range: 0-100
Trigger Block time - LF_TRIGGER_PERM
If LF_TRIGGER is greater than 0 then LF_TRIGGER_PERM can be set to 1 to permanently block the IP address, or LF_TRIGGER_PERM can be set to a value greater than 1 and the IP address will be blocked temporarily for that value in seconds.
Default: 1 Range: 0-604800
SSHD trigger - LF_SSHD
Enable login failure detection of sshd connections.
Default: 5 Range: 0-100
SSHD trigger block time - LF_SSHD_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800
FTPD trigger - LF_FTPD
Enable login failure detection of FTP connections.
Default: 10 Range: 0-100
FTPD trigger block time - LF_FTPD_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800
SMTPAUTH trigger - LF_SMTPAUTH
Enable login failure detection of SMTP AUTH connections.
Default: 5 Range: 0-100
SMTPAUTH trigger block time - LF_SMTPAUTH_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800
POP3D trigger - LF_POP3D
Enable login failure detection of POP3 connections.
Default: 10 Range: 0-100
POP3D trigger block time - LF_POP3D_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800
IMAPD trigger - LF_IMAPD
Enable login failure detection of IMAP connections.
Default: 10 Range: 0-100
IMAPD trigger block time - LF_IMAPD_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800
Htaccess trigger - LF_HTACCESS
Enable login failure detection of Apache .htpasswd connections.
Default: 5 Range: 0-100
Htaccess trigger block time - LF_HTACCESS_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800
ModSecurity trigger - LF_MODSEC
Enable failure detection of repeated Apache ModSecurity rule triggers.
Default: 5 Range: 0-100
ModSecurity trigger block time - LF_MODSEC_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800
Mod_qos trigger - LF_QOS
Enable detection of repeated Apache mod_qos rule triggers.
Default: 0 Range: 0-100
Mod_qos trigger block time - LF_QOS_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800
Suhosin trigger - LF_SUHOSIN
Enable detection of repeated Suhosin alerts.
Default: 0 Range: 0-100
Suhosin trigger block time - LF_SUHOSIN_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800
BIND trigger - LF_BIND
Enable detection of repeated BIND denied requests.
Default: 0 Range: 0|60-1000
BIND trigger block time - LF_BIND_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 1 Range: 0-604800
Apache 404 trigger - LF_APACHE_404
Track of the number of File does not exist 404 errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0.
Default: 0 Range: 0|60-1000
Apache 404 trigger block time - LF_APACHE_404_PERM
Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 3600 Range: 0-604800
Apache 403 trigger - LF_APACHE_403
Track of the number of client denied by server configuration 403 errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0.
Default: 0 Range: 0|60-1000
Apache 403 trigger block time - LF_APACHE_403_PERM Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 3600 Range: 0-604800
Apache 401 trigger - LF_APACHE_401
Track of the number of HTTP Error 401 Unauthorized errors in the HTACCESS_LOG. If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then the IP address will be blocked. To disable this option set to 0.
Default: 0 Range: 0|60-1000
Apache 401 trigger block time - LF_APACHE_401_PERM Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for).
Default: 3600 Range: 0-604800
Login Failure Blocking
Block access to failed app only - LF_SELECT
Only block access to the failed application instead of a blocking the IP address completely. LF_TRIGGER must be set to 0 with application trigger levels also set appropriately.
Default: 0 Range: 0-1
System exploit check interval - LF_EXPLOIT
Perform a series of tests to send an alert in case a possible server compromise is detected. To enable this option set the following to the checking interval in seconds. To disable this option set to 0.
Default: 300 Range: 0|6-86400
System exploit checks to ignore - LF_EXPLOIT_IGNORE
List of system exploit checks that LF_EXPLOIT will ignore (comma separated).
Default: empty
Failure tracking interval - LF_INTERVAL
The time interval in seconds to track login and other LF_ failures within.
Default: 3600 Range: 60-86400
Parse log file interval - LF_PARSE
The number of seconds that the login failure daemon process sleeps before processing the log file entries and checking whether other events need to be triggered.
Default: 5 Range: 5-20
Flush reports interval - LF_FLUSH
The interval in seconds that is used to flush reports of usernames, files, and pids. This helps persistent problems to be reported properly.
Default: 3600 Range: 3600-86400
Repeat block interval - LF_REPEATBLOCK
The number of times to deny an already blocked IP address. To disable this option set to 0
Default: 0 Range: 0-5
Block inbound traffic only - LF_BLOCKINONLY
Enable the blocking of inbound traffic only for blocked IP addresses (not recomme
Reporting Settings
To: field for all alert emails - LF_ALERT_TO
This option will override the configured To: field in all login failure daemon alert emails. Leave this option empty to use the To: field setting in each alert template.
Default: empty
From: field for all alert emails - LF_ALERT_FROM
This option will override the configured From: field in all lfd alert emails. Leave this option empty to use the From: field setting in each alert template.
Default: empty
Relaying SMTP server - LF_ALERT_SMTP
Normally the login failure daemon will send all alerts using the default MTA binary. To send using SMTP directly, you can set the following to a relaying SMTP server, e.g. 127.0.0.1. Leave this setting blank to use the default MTA.
Default: empty
Block reporting script - BLOCK_REPORT
The login failure daemon can run an external script when it performs an IP address block. This option is the full path of the external script which must be executable.
Default: empty
Unblock reporting script - UNBLOCK_REPORT
The login failure daemon can run an external script when script when a temporary block is unblocked. The following setting can be the full path of the external script which must be executable.
Default: empty
Network Abuse Reporting
X-ARF reports - X_ARF
Enable the sending of X-ARF reports. Only block alert messages will be sent. These reports are in a format accepted by many Netblock owners and should help them investigate abuse. Only enable this option after you have checked for false-positive block reports.
Default: 0 Range: 0-1
From: field for X-ARF reports - X_ARF_FROM
Set the email From: for X-ARF reports.
Default: empty
To: field for X-ARF reports - X_ARF_TO
Set the email To: for X-ARF reports.
Default: empty
X-ARF reports sent to abuse - X_ARF_ABUSE
Automatically send reports to the abuse contact where found. Note: You MUST set X_ARF_FROM to a valid email address for this option to work. This is so that the abuse contact can reply to the report. However, you should be aware that without manual checking you could be reporting innocent IP addresses, including your own clients, yourself and your own servers. We do not recommend enabling this option. Abuse reports should be checked and verified before being forwarded to the abuse contact.
Default: 0
Alerts
Login failure blocking alerts - LF_EMAIL_ALERT
Send an email alert if an IP address is blocked by one of the application triggers.
Default: 1 Range: 0-1
SSH login alerts - LF_SSH_EMAIL_ALERT
Send an email alert if anyone logs in successfully using SSH
Default: 1 Range: 0-1
SU alerts - LF_SU_EMAIL_ALERT
Send an email alert if anyone uses su to access another account.
Default: 1 Range: 0-1
Root console login alerts - LF_CONSOLE_EMAIL_ALERT
Send an email alert if anyone logs in successfully to root on the console.
Default: 0 Range: 0-1
Permblock blocking alerts - LF_PERMBLOCK_ALERT
Enable or disable email alerts for permanent blocks.
Default: 1 Range: 0-1
Netblock blocking alerts - LF_NETBLOCK_ALERT
Enable or disable email alerts for permanent blocks by network class.
Default: 1 Range: 0-1
Recaptcha alert - RECAPTCHA_ALERT
Send an email when an IP address successfully attempts to unblock themselves. This does not necessarily mean the IP was unblocked, only that the post-recaptcha unblock request was attempted. Default: 1
Log file flooding alerts - LOGFLOOD_ALERT
Send an email alert if log file flooding is detected. You should investigate the reported log file for the reason for the flooding if you receive this alert.
Default: 0 Range: 0-1
Portknocking alerts - PORTKNOCKING_ALERT
Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must also be enabled.
Default: 0 Range: 0-1
Tracking Alerts
Distributed FTP alerts - LF_DISTFTP_ALERT
Send an email alert if LF_DISTFTP is triggered.
Default: 1
Login tracking alerts - LT_EMAIL_ALERT
Send an email alert if an account exceeds LT_POP3D or LT_IMAPD logins per hour.
Default: 1 Range: 0-1
Connection tracking alerts - CT_EMAIL_ALERT
Send an email alert if an IP address is blocked due to connection tracking.
Default: 1 Range: 0-1
User process killing alerts - PT_USERKILL_ALERT
Email an alert if PT_USERKILL is triggered.
Default: 1 Range: 0-1
Port scan tracking alerts - PS_EMAIL_ALERT
Enable port scan tracking email alerts.
Default: 1 Range: 0-1
Account Tracking Alerts
Account creation alerts - AT_NEW
Send alert if a new account is created.
Default: 1 Range: 0-1
Account deletion alerts - AT_OLD
Send alert if an existing account is deleted.
Default: 1 Range: 0-1
Account password change alerts - AT_PASSWD
Send alert if an account password has changed.
Default: 1 Range: 0-1
Account UID change alerts - AT_UID
Send alert if an account uid has changed.
Default: 1 Range: 0-1
Account GID change alerts - AT_GID
Send alert if an account gid has changed.
Default: 1 Range: 0-1
Account directory change alerts - AT_DIR
Send alert if an account login directory has changed.
Default: 1 Range: 0-1
Account shell change alerts - AT_SHELL
Send alert if an account login shell has changed.
Default: 1 Range: 0-1
Temp to Perm Settings
Temp to perm blocking - LF_PERMBLOCK
Enable temporary to permanent IP blocking. This will permanently block IP addresses that have been temporarily blocked more than LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds.
Default: 1 Range: 0-1
Permanent block interval - LF_PERMBLOCK_INTERVAL
The interval in seconds before triggering a Permanent block. LF_PERMBLOCK_INTERVAL needs to be at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting (TTL) for blocked IPs, to be effective.
Default: 86400 Range: 3600-604800
Permanent block count - LF_PERMBLOCK_COUNT
The number of times before triggering a Permanent block.
Default: 4 Range: 1-20
Netblock Settings
Netblock blocking - LF_NETBLOCK
Permanently block IPs by network class. Permanently block classes of IP address where individual IP addresses within the same class LF_NETBLOCK_CLASS have already been blocked more than LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. This can help blocking DDOS attacks launched from within the same network class.
Default: 0 Range: 0-1
Netblock interval - LF_NETBLOCK_INTERVAL
The interval in seconds before triggering a Permanent block by network class.
Default: 86400 Range: 3600-604800
Netblock count - LF_NETBLOCK_COUNT
The number of times before triggering a Permanent block.
Default: 4 Range: 1-20
Netblock class - LF_NETBLOCK_CLASS
Care and consideration is required when blocking network classes A or B.
Default: C Range: A|B|C
Netblock blocking IPv6 - LF_NETBLOCK_IPV6
Enable IPv6 netblock blocking. Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24". Great care should be taken with IPV6 netblock ranges due to the large number of addresses involved.
Default: empty
Dynamic DNS Settings
Safe chain update - SAFECHAINUPDATE
Enable the creation of a new chain when updating all dynamic update chains, and insert it into the relevant LOCALINPUT/LOCALOUTPUT chain, then flush and delete the old dynamic chain and rename the new chain. This option should not be enabled on servers with long dynamic chains and low memory or Virtuozzo VPS servers with a restricted numiptent value.
Default: 0 Range: 0-1
Dynamic DNS update interval - DYNDNS
Allow access from dynamic DNS records by adding the FQDN records in /etc/csf/csf.dyndns and setting this option to the number of seconds to poll for a change in the IP address. If the IP address has changed iptables will be updated. Set the value to 0 to disable.
Default: 21600 Range: 0-86400
Dynamic DNS ignore IP addresses in LFD blocking - DYNDNS_IGNORE
Ignore DYNDNS IP addresses in login failure deamon blocking.
Default: 0 Range: 0-1
Global List Settings
Global list update interval - LF_GLOBAL
The interval in seconds when you want the login failure daemon to retrieve IP allow and deny lists. You do not have to specify both an allow and a deny file.
Default: 0 Range: 0|60-604800
Global allow list URL - GLOBAL_ALLOW The URL to a centralised copy of an IP allow list.
Default: empty
Global deny list URL - GLOBAL_DENY
The URL to a centralised copy of an IP deny list.
Default: empty
Global ignore list URL - GLOBAL_IGNORE
The URL to a centralised copy of an IP ignore list.
Default: empty
Global DynDNS List Settings
Global dynamic DNS list update interval - GLOBAL_DYNDNS_INTERVAL
The number of seconds to poll for a change in the IP address resolved from GLOBAL_DYNDNS.
Default: 600 Range: 60-86400
Global dynamic DNS list URL - GLOBAL_DYNDNS
The URL to a centralised copy of a dynamic DNS entries list.
Default: empty
Global dynamic DNS list ignore IP addresses in LFD blocking - GLOBAL_DYNDNS_IGNORE
Always ignore GLOBAL_DYNDNS IP addresses in login failure daemon blocking.
Default: 0 Range: 0-1
Block List Settings
Skip BOGON rules for these NICs - LF_BOGON_SKIP Do not apply BOGON rules these specific network interfaces (comma separated e.g eth1,eth2).
Default: empty
URL data retrieval client - URLGET
How to retrieve URL data.
HTTP::Tiny is much faster than LWP::UserAgent and is included in the CSF distribution.
LWP::UserAgent may have to be installed manually, but it can better support https:// URLs. We recommend setting this set to 2 for LWP::UserAgent as upgrades to CSF will be performed over SSL.
Default: 2 Range: 1-2
Directory Watching
Directory watching interval - LF_DIRWATCH_FILE
The interval in seconds to have the login failure daemon watch specified files or directories for changes. If a change is detected then an alert is sent.
Default: 0 Range: 0|30-86400
/tmp dir watching interval - LF_DIRWATCH
This tells the login failure daemon to check /tmp and /dev/shm directories for suspicious files. If a suspicious file is found an email alert is sent. One alert per file per LF_FLUSH interval is sent. To enable this feature set the following to the checking interval in seconds. To disable this option set to 0.
Default: 300 Range: 0|30-86400
/tmp watching file removal - LF_DIRWATCH_DISABLE
Enable the removal any suspicious files found during directory watching. These files will be appended to a tarball located in /etc/csf/suspicious.tar
Default: 0 Range: 0-1
Integrity checking interval - LF_INTEGRITY
The interval in seconds to have the login failure daemon compare md5sums of the servers OS binary application files from the time when the login failure daemon was started. If the md5sum of a monitored file is mismatched then an alert is sent. This option acts as an IDS (Intrusion Detection System) in detecting a possible root compromise.
Default: 3600 Range: 0|120-86400
Messenger Service
Messenger service - MESSENGER
Display a message to a blocked connecting IP address to inform the user that they are blocked by the firewall. The service is provided by two daemons running on ports providing either an HTML or TEXT message. The iptables module ipt_REDIRECT is required.
Default: 0 Range: 0-1
Use for temporary blocks - MESSENGER_TEMP
Show the message to temporary IP address blocks.
Default: 1 Range: 0-1
Use for permanent blocks - MESSENGER_PERM
Show the message permanent IP address blocks.
Default: 1 Range: 0-1
User account to run under - MESSENGER_USER
The user account to run the messenger service servers under. We recommend you use a specific non-privileged, non-shell account. If you are using a user other than csf you will have to add it manually eg. useradd csf -r -s /bin/false
Default: csf
Maximum child connections - MESSENGER_CHILDREN
The maximum concurrent connections allowed to each service server.
Default: 10 Range: 2-200
Rate limit for connections - MESSENGER_RATE
Limit the rate at which connections can be made to the messenger service servers. See the iptables man page for the correct --limit rate syntax.
Default: 100/s
Burst limit for connections - MESSENGER_BURST
The maximum initial number of packets to match.
Default: 150
---------