###############################################################################
# SECTION:Login Failure Blocking and Alerts
###############################################################################
# The following[*] triggers are application specific. If you set LF_TRIGGER to
# "0" the value of each trigger is the number of failures against that
# application that will trigger lfd to block the IP address
#
# If you set LF_TRIGGER to a value greater than "0" then the following[*]
# application triggers are simply on or off ("0" or "1") and the value of
# LF_TRIGGER is the total cumulative number of failures that will trigger lfd
# to block the IP address
#
# Setting the application trigger to "0" disables it
LF_TRIGGER = "0"
# If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
# "1" and the IP address will be blocked temporarily for that value in seconds.
# For example:
# LF_TRIGGER_PERM = "1" => the IP is blocked permanently
# LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
#
# If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
# in the same way as above and LF_TRIGGER_PERM serves no function
LF_TRIGGER_PERM = "1"
# To only block access to the failed application instead of a complete block
# for an ip address, you can set the following to "1", but LF_TRIGGER must be
# set to "0" with specific application[*] trigger levels also set appropriately
#
# The ports that are blocked can be configured by changing the PORTS_* options
LF_SELECT = "0"
# Send an email alert if an IP address is blocked by one of the [*] triggers
LF_EMAIL_ALERT = "1"
# [*]Enable login failure detection of sshd connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SSHD = "5"
LF_SSHD_PERM = "1"
# [*]Enable login failure detection of ftp connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_FTPD = "10"
LF_FTPD_PERM = "1"
# [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"
# [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"
# [*]Enable login failure detection of pop3 connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = "0"
LF_POP3D_PERM = "1"
# [*]Enable login failure detection of imap connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = "0"
LF_IMAPD_PERM = "1"
# [*]Enable login failure detection of Apache .htpasswd connections
# Due to the often high logging rate in the Apache error log, you might want to
# enable this option only if you know you are suffering from attacks against
# password protected directories
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"
# [*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"
# [*]Enable detection of repeated BIND denied requests
# This option should be enabled with care as it will prevent blocked IPs from
# resolving any domains on the server. You might want to set the trigger value
# reasonably high to avoid this
# Example: LF_BIND = "100"
LF_BIND = "0"
LF_BIND_PERM = "1"
# [*]Enable detection of repeated suhosin ALERTs
# Example: LF_SUHOSIN = "5"
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SUHOSIN = "0"
LF_SUHOSIN_PERM = "1"
# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
# This option will block IP addresses if cxs detects a hits from the
# ModSecurity rule associated with it
#
# Note: This option takes precedence over LF_MODSEC and removes any hits
# counted towards LF_MODSEC for the cxs rule
#
# This setting should probably set very low, perhaps to 1, if you want to
# effectively block IP addresses for this trigger option
LF_CXS = "0"
LF_CXS_PERM = "1"
# [*]Enable detection of repeated Apache mod_qos rule triggers
LF_QOS = "0"
LF_QOS_PERM = "1"
# [*]Enable detection of repeated Apache symlink race condition triggers from
# the Apache patch provided by:
# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
# This patch has also been included by cPanel via the easyapache option:
# "Symlink Race Condition Protection"
LF_SYMLINK = "0"
LF_SYMLINK_PERM = "1"
# [*]Enable login failure detection of webmin connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN = "0"
LF_WEBMIN_PERM = "1"
# Send an email alert if anyone logs in successfully using SSH
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SSH_EMAIL_ALERT = "1"
# Send an email alert if anyone uses su to access another account. This will
# send an email alert whether the attempt to use su was successful or not
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SU_EMAIL_ALERT = "1"
# Send an email alert if anyone accesses webmin
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN_EMAIL_ALERT = "1"
# Send an email alert if anyone logs in successfully to root on the console
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_CONSOLE_EMAIL_ALERT = "1"
# This option will keep track of the number of "File does not exist" errors in
# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
# seconds then the IP address will be blocked
#
# Care should be used with this option as it could generate many
# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
# so only use this option if you know you are under this type of attack
#
# A sensible setting for this would be quite high, perhaps 200
#
# To disable set to "0"
LF_APACHE_404 = "0"
# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_APACHE_404_PERM = "3600"
# This option will keep track of the number of "client denied by server
# configuration" errors in HTACCESS_LOG. If the number of hits is more than
# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
#
# Care should be used with this option as it could generate many
# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
# so only use this option if you know you are under this type of attack
#
# A sensible setting for this would be quite high, perhaps 200
#
# To disable set to "0"
LF_APACHE_403 = "0"
# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_APACHE_403_PERM = "3600"
# This option will keep track of the number of 401 failures in HTACCESS_LOG.
# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then
# the IP address will be blocked
#
# To disable set to "0"
LF_APACHE_401 = "0"
# This option is used to determine if the Apache error_log format contains the
# client port after the client IP. In Apache prior to v2.4, this was not the
# case. In Apache v2.4+ the error_log format can be configured using
# ErrorLogFormat, making the port directive optional
#
# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next
# to the client IP by default. This makes determining client IPv6 addresses
# difficult unless we know whether the port is being appended or not
#
# lfd will attempt to autodetect the correct value if this option is set to "0"
# from the httpd binary found in common locations. If it fails to find a binary
# it will be set to "2", unless specified here
#
# The value can be set here explicitly if the autodetection does not work:
# 0 - autodetect
# 1 - no port directive after client IP
# 2 - port directive after client IP
LF_APACHE_ERRPORT = "0"
# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_APACHE_401_PERM = "3600"
# This option will send an alert if the ModSecurity IP persistent storage grows
# excessively large: https://goo.gl/rGh5sF
#
# More information on cPanel servers here: https://goo.gl/vo6xTE
#
# LF_MODSECIPDB_FILE must be set to the correct location of the database file
#
# The check is performed at lfd startup and then once per hour, the template
# used is modsecipdbalert.txt
#
# Set to "0" to disable this option, otherwise it is the threshold size of the
# file to report in gigabytes, e.g. set to 5 for 5GB
LF_MODSECIPDB_ALERT = "0"
# This is the location of the persistent IP storage file on the server, e.g.:
# /var/run/modsecurity/data/ip.pag
# /var/cpanel/secdatadir/ip.pag
# /var/cache/modsecurity/ip.pag
# /usr/local/apache/conf/modsec/data/msa/ip.pag
# /var/tmp/ip.pag
# /tmp/ip.pag
LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"
# System Exploit Checking. This option is designed to perform a series of tests
# to send an alert in case a possible server compromise is detected
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 300 would seem sensible).
#
# To disable set to "0"
LF_EXPLOIT = "300"
# This comma separated list allows you to ignore tests LF_EXPLOIT performs
#
# For the SUPERUSER check, you can list usernames in csf.suignore to have them
# ignored for that test
#
# Valid tests are:
# SUPERUSER,SSHDSPAM
#
# If you want to ignore a test add it to this as a comma separated list, e.g.
# "SUPERUSER,SSHDSPAM"
LF_EXPLOIT_IGNORE = ""
# Set the time interval to track login and other LF_ failures within (seconds),
# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
LF_INTERVAL = "3600"
# This is how long the lfd process sleeps (in seconds) before processing the
# log file entries and checking whether other events need to be triggered
LF_PARSE = "5"
# This is the interval that is used to flush reports of usernames, files and
# pids so that persistent problems continue to be reported, in seconds.
# A value of 3600 seems sensible
LF_FLUSH = "3600"
# Under some circumstances iptables can fail to include a rule instruction,
# especially if more than one request is made concurrently. In this event, a
# permanent block entry may exist in csf.deny, but not in iptables.
#
# This option instructs csf to deny an already blocked IP address the number
# of times set. The downside, is that there will be multiple entries for an IP
# address in csf.deny and possibly multiple rules for the same IP address in
# iptables. This needs to be taken into consideration when unblocking such IP
# addresses.
#
# Set to "0" to disable this feature. Do not set this too high for the reasons
# detailed above (e.g. "5" should be more than enough)
LF_REPEATBLOCK = "0"
# By default csf will create both an inbound and outbound blocks from/to an IP
# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
# effective way to block IP traffic. This option instructs csf to only block
# inbound traffic from those IP's and so reduces the number of iptables rules,
# but at the expense of less effectiveness. For this reason we recommend
# leaving this option disabled
#
# Set to "0" to disable this feature - the default
LF_BLOCKINONLY = "0"
###############################################################################
# SECTION:CloudFlare
###############################################################################
# This features provides interaction with the CloudFlare Firewall
#
# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as
# iptables is concerned) come from the CloudFlare IP's. To counter this, an
# Apache module (mod_cloudflare) is available that obtains the true attackers
# IP from a custom HTTP header record (similar functionality is available
# for other HTTP daemons
#
# However, despite now knowing the true attacking IP address, iptables cannot
# be used to block that IP as the traffic is still coming from the CloudFlare
# servers
#
# CloudFlare have provided a Firewall feature within the user account where
# rules can be added to block, challenge or whitelist IP addresses
#
# Using the CloudFlare API, this feature adds and removes attacking IPs from
# that firewall and provides CLI (and via the UI) additional commands
#
# See /etc/csf/readme.txt for more information about this feature and the
# restrictions for its use BEFORE enabling this feature
CF_ENABLE = "0"
# This can be set to either "block" or "challenge" (see CloudFlare docs)
CF_BLOCK = "block"
# This setting determines how long the temporary block will apply within csf
# and CloudFlare, keeping them in sync
#
# Block duration in seconds - overrides perm block or time of individual blocks
# in lfd for block triggers
CF_TEMP = "3600"
###############################################################################
# SECTION:Directory Watching & Integrity
###############################################################################
# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm
# directories for suspicious files, i.e. script exploits. If a suspicious
# file is found an email alert is sent. One alert per file per LF_FLUSH
# interval is sent
#
# To enable this feature set the following to the checking interval in seconds.
# To disable set to "0"
LF_DIRWATCH = "300"
# To remove any suspicious files found during directory watching, enable the
# following. These files will be appended to a tarball in
# /var/lib/csf/suspicious.tar
LF_DIRWATCH_DISABLE = "0"
# This option allows you to have lfd watch a particular file or directory for
# changes and should they change and email alert using watchalert.txt is sent
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 60 would seem sensible) and add your entries to csf.dirwatch
#
# Set to disable set to "0"
LF_DIRWATCH_FILE = "0"
# System Integrity Checking. This enables lfd to compare md5sums of the
# servers OS binary application files from the time when lfd starts. If the
# md5sum of a monitored file changes an alert is sent. This option is intended
# as an IDS (Intrusion Detection System) and is the last line of detection for
# a possible root compromise.
#
# There will be constant false-positives as the servers OS is updated or
# monitored application binaries are updated. However, unexpected changes
# should be carefully inspected.
#
# Modified files will only be reported via email once.
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 3600 would seem sensible). This option may increase server I/O
# load onto the server as it checks system binaries.
#
# To disable set to "0"
LF_INTEGRITY = "3600"
###############################################################################
# SECTION:Distributed Attacks
###############################################################################
# Distributed Account Attack. This option will keep track of login failures
# from distributed IP addresses to a specific application account. If the
# number of failures matches the trigger value above, ALL of the IP addresses
# involved in the attack will be blocked according to the temp/perm rules above
#
# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD,
# LF_HTACCESS
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_DISTATTACK = "0"
# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTATTACK
LF_DISTATTACK_UNIQ = "2"
# Distributed FTP Logins. This option will keep track of successful FTP logins.
# If the number of successful logins to an individual account is at least
# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
# then all of the IP addresses will be blocked
#
# This option can help mitigate the common FTP account compromise attacks that
# use a distributed network of zombies to deface websites
#
# A sensible setting for this might be 5, depending on how many different
# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL
#
# To disable set to "0"
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_DISTFTP = "0"
# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
LF_DISTFTP_UNIQ = "3"
# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_DISTFTP_PERM = "1"
# Send an email alert if LF_DISTFTP is triggered
LF_DISTFTP_ALERT = "1"
# Distributed SMTP Logins. This option will keep track of successful SMTP
# logins. If the number of successful logins to an individual account is at
# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP
# addresses, then all of the IP addresses will be blocked. These options only
# apply to the exim MTA
#
# This option can help mitigate the common SMTP account compromise attacks that
# use a distributed network of zombies to send spam
#
# A sensible setting for this might be 5, depending on how many different
# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL
#
# To disable set to "0"
LF_DISTSMTP = "0"
# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
LF_DISTSMTP_UNIQ = "3"
# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_DISTSMTP_PERM = "1"
# Send an email alert if LF_DISTSMTP is triggered
LF_DISTSMTP_ALERT = "1"
# This is the interval during which a distributed FTP or SMTP attack is
# measured
LF_DIST_INTERVAL = "300"
# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the
# path to a script, it will run the script and pass the following as arguments:
#
# LF_DISTFTP/LF_DISTSMTP
# account name
# log file text
#
# The action script must have the execute bit and interpreter (shebang) set
LF_DIST_ACTION = ""
###############################################################################
# SECTION:Login Tracking
###############################################################################
# Block POP3 logins if greater than LT_POP3D times per hour per account per IP
# address (0=disabled)
#
# This is a temporary block for the rest of the hour, afterwhich the IP is
# unblocked
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LT_POP3D = "0"
# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP
# address (0=disabled) - not recommended for IMAP logins due to the ethos
# within which IMAP works. If you want to use this, setting it quite high is
# probably a good idea
#
# This is a temporary block for the rest of the hour, afterwhich the IP is
# unblocked
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LT_IMAPD = "0"
# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
# per IP
LT_EMAIL_ALERT = "1"
# If LF_PERMBLOCK is enabled but you do not want this to apply to
# LT_POP3D/LT_IMAPD, then enable this option
LT_SKIPPERMBLOCK = "0"
###############################################################################
# SECTION:Connection Tracking
###############################################################################
# Connection Tracking. This option enables tracking of all connections from IP
# addresses to the server. If the total number of connections is greater than
# this value then the offending IP address is blocked. This can be used to help
# prevent some types of DOS attack.
#
# Care should be taken with this option. It's entirely possible that you will
# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However, for a server that is prone to DOS
# attacks this may be very useful. A reasonable setting for this option might
# be around 300.
#
# To disable this feature, set this to 0
CT_LIMIT = "1500"
# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = "30"
# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = "1"
# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = "0"
# If you opt for temporary IP blocks for CT, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = "1800"
# If you don't want to count the TIME_WAIT state against the connection count
# then set the following to "1"
CT_SKIP_TIME_WAIT = "0"
# If you only want to count specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
#
# Leave this option empty to count all states against CT_LIMIT
CT_STATES = ""
# If you only want to count specific ports (e.g. 80,443) then add the ports
# to the following as a comma separated list. E.g. "80,443"
#
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = ""
###############################################################################
# SECTION:Process Tracking
###############################################################################
# Process Tracking. This option enables tracking of user and nobody processes
# and examines them for suspicious executables or open network ports. Its
# purpose is to identify potential exploit processes that are running on the
# server, even if they are obfuscated to appear as system services. If a
# suspicious process is found an alert email is sent with relevant information.
# It is then the responsibility of the recipient to investigate the process
# further as the script takes no further action
#
# The following is the number of seconds a process has to be active before it
# is inspected. If you set this time too low, then you will likely trigger
# false-positives with CGI or PHP scripts.
# Set the value to 0 to disable this feature
PT_LIMIT = "60"
# How frequently processes are checked in seconds
PT_INTERVAL = "60"
# If you want process tracking to highlight php or perl scripts that are run
# through apache then disable the following,
# i.e. set it to 0
#
# While enabling this setting will reduce false-positives, having it set to 0
# does provide better checking for exploits running on the server
PT_SKIP_HTTP = "0"
# lfd will report processes, even if they're listed in csf.pignore, if they're
# tagged as (deleted) by Linux. This information is provided in Linux under
# /proc/PID/exe. A (deleted) process is one that is running a binary that has
# the inode for the file removed from the file system directory. This usually
# happens when the binary has been replaced due to an upgrade for it by the OS
# vendor or another third party (e.g. cPanel). You need to investigate whether
# this is indeed the case to be sure that the original binary has not been
# replaced by a rootkit or is running an exploit.
#
# Note: If a deleted executable process is detected and reported then lfd will
# not report children of the parent (or the parent itself if a child triggered
# the report) if the parent is also a deleted executable process
#
# To stop lfd reporting such process you need to restart the daemon to which it
# belongs and therefore run the process using the replacement binary (presuming
# one exists). This will normally mean running the associated startup script in
# /etc/init.d/
#
# If you do want lfd to report deleted binary processes, set to 1
PT_DELETED = "0"
# If a PT_DELETED event is triggered, then if the following contains the path to
# a script, it will be run in a child process and passed the executable, pid,
# account for the process, and parent pid
#
# The action script must have the execute bit and interpreter (shebang) set. An
# example is provided in /usr/local/csf/bin/pt_deleted_action.pl
#
# WARNING: Make sure you read and understand the potential security
# implications of such processes in PT_DELETED above before simply restarting
# such processes with a script
PT_DELETED_ACTION = ""
# User Process Tracking. This option enables the tracking of the number of
# process any given account is running at one time. If the number of processes
# exceeds the value of the following setting an email alert is sent with
# details of those processes. If you specify a user in csf.pignore it will be
# ignored
#
# Set to 0 to disable this feature
PT_USERPROC = "10"
# This User Process Tracking option sends an alert if any user process exceeds
# the virtual memory usage set (MB). To ignore specific processes or users use
# csf.pignore
#
# Set to 0 to disable this feature
PT_USERMEM = "512"
# This User Process Tracking option sends an alert if any user process exceeds
# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific
# processes or users use csf.pignore
#
# Set to 0 to disable this feature
PT_USERRSS = "256"
# This User Process Tracking option sends an alert if any linux user process
# exceeds the time usage set (seconds). To ignore specific processes or users
# use csf.pignore
#
# Set to 0 to disable this feature
PT_USERTIME = "1800"
# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or
# PT_USERPROC are killed
#
# Warning: We don't recommend enabling this option unless absolutely necessary
# as it can cause unexpected problems when processes are suddenly terminated.
# It can also lead to system processes being terminated which could cause
# stability issues. It is much better to leave this option disabled and to
# investigate each case as it is reported when the triggers above are breached
#
# Note: Processes that are running deleted excecutables (see PT_DELETED) will
# not be killed by lfd
PT_USERKILL = "0"
# If you want to disable email alerts if PT_USERKILL is triggered, then set
# this option to 0
PT_USERKILL_ALERT = "1"
# If a PT_* event is triggered, then if the following contains the path to
# a script, it will be run in a child process and passed the PID(s) of the
# process(es) in a comma separated list.
#
# The action script must have the execute bit and interpreter (shebang) set
PT_USER_ACTION = ""
# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and
# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the
# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is
# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP
# seconds has passed to prevent email floods.
#
# Set PT_LOAD to "0" to disable this feature
PT_LOAD = "30"
PT_LOAD_AVG = "5"
PT_LOAD_LEVEL = "6"
PT_LOAD_SKIP = "3600"
# This is the Apache Server Status URL used in the email alert. Requires the
# Apache mod_status module to be installed and configured correctly
PT_APACHESTATUS = "http://127.0.0.1/server-status"
# If a PT_LOAD event is triggered, then if the following contains the path to
# a script, it will be run in a child process. For example, the script could
# contain commands to terminate and restart httpd, php, exim, etc incase of
# looping processes. The action script must have the execute bit an
# interpreter (shebang) set
PT_LOAD_ACTION = ""
# Fork Bomb Protection. This option checks the number of processes with the
# same session id and if greater than the value set, the whole session tree is
# terminated and an alert sent
#
# You can see an example of common session id processes on most Linux systems
# using: "ps axf -O sid"
#
# On cPanel servers, PT_ALL_USERS should be enabled to use this option
# effectively
#
# This option will check root owned processes. Session id 0 and 1 will always
# be ignored as they represent kernel and init processes. csf.pignore will be
# honoured, but bear in mind that a session tree can contain a variety of users
# and executables
#
# Care needs to be taken to ensure that this option only detects runaway fork
# bombs, so should be set higher than any session tree is likely to get (e.g.
# httpd could have 100s of legitimate children on very busy systems). A
# sensible starting point on most servers might be 250
PT_FORKBOMB = "0"
# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes
# are often left hanging after their connecting IP addresses have been blocked
#
# This option will terminate the SSH processes created by the blocked IP. This
# option is preferred over PT_SSHDHUNG
PT_SSHDKILL = "0"
# This option will terminate all processes with the cmdline of "sshd: unknown
# [net]" or "sshd: unknown [priv]" if they have been running for more than 60
# seconds
PT_SSHDHUNG = "0"
###############################################################################
# SECTION:Port Scan Tracking
###############################################################################
# Port Scan Tracking. This feature tracks port blocks logged by iptables to
# syslog. If an IP address generates a port block that is logged more than
# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.
#
# This feature could, for example, be useful for blocking hackers attempting
# to access the standard SSH port if you have moved it to a port other than 22
# and have removed 22 from the TCP_IN list so that connection attempts to the
# old port are being logged
#
# This feature blocks all iptables blocks from the iptables logs, including
# repeated attempts to one port or SYN flood blocks, etc
#
# Note: This feature will only track iptables blocks from the log file set in
# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will
# cause redundant blocking with DROP_IP_LOGGING enabled
#
# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)
# could very quickly fill the iptables rule chains and cause a DOS in itself.
# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks
# and the DENY_TEMP_IP_LIMIT with temporary blocks
#
# Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300
# would be sensible to enable this feature
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
PS_INTERVAL = "0"
PS_LIMIT = "10"
# You can specify the ports and/or port ranges that should be tracked by the
# Port Scan Tracking feature. The following setting is a comma separated list
# of those ports and uses the same format as TCP_IN. The setting of
# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports
#
# Special values are:
# ICMP - include ICMP blocks (see ICMP_*)
# INVALID - include INVALID blocks (see PACKET_FILTER)
# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*
# BRD - include UDP Broadcast IPs, otherwise they are ignored
PS_PORTS = "0:65535,ICMP"
# To specify how many different ports qualifies as a Port Scan you can increase
# the following from the default value of 1. The risk in doing so will mean
# that persistent attempts to attack a specific closed port will not be
# detected and blocked
PS_DIVERSITY = "1"
# You can select whether IP blocks for Port Scan Tracking should be temporary
# or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent
# blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to
# temporarily block the IP address for
PS_PER
