CSF Configuration Parameters

Some of the important CSF configuration parameters that we should know and its details:

1. TESTING – This will set the CSF in testing mode or in active mode. If the variable TESTING is set as 1 then it is in testing mode. If it is set as 0, then testing mode is disabled. LFD will not start when testing mode is enabled.

2. TESTING_INTERVAL – If CSF is in the testing mode, a cron job will be set to run in the interval of the time set for the variable “TESTING_INTERVAL”. This is set so that all the rules which are added to the csf firewall will be deleted after TESTING_INTERVAL. If CSF is in active mode, no cron job will be set to run.

3. AUTO_UPDATES – If auto update is enabled, a cron job called /etc/cron.d/csf_update will run once per day to see if there is an update to csf+lfd and upgrades if available and restarts csf and lfd. On upgrading, it will not overwrite configuration files or email templates. Once the update is made, an email will be sent to root account.

Port Settings

4. TCP_IN – Allow incoming TCP ports. The ports are added with a comma separated list. You can also add a range of ports using the colon symbol like 30000:35000.

5. TCP_OUT – Allow outgoing TCP ports.

6. UDP_IN – Allow incoming UDP ports.

7. UDP_OUT – Allow outgoing UDP ports. Traceroute is using UDP protocol and if you want to allow outgoing traceroute, add 33434:33523 to this list

8. ICMP_IN – Allow incoming PING

9. ICMP_IN_RATE – Set the per IP address incoming ICMP packet rate

10. ICMP_OUT – Allow outgoing PING

11. ICMP_OUT_RATE – Set the per IP address outgoing ICMP packet rate. e.g. “1/s”

General Settings

12. ETH_DEVICE – Specify the NIC whose iptables rules need to be applied. By default, csf will auto-configure iptables to filter all traffic except on loopback device.

13. ETH_DEVICE_SKIP – If iptable rules applied to specific NICs need not be added, you can list those NICs in this variable.

14. RELAYHOSTS – This feature enable the pop before smtp function.

POP before smtp is that you can send mail if u authenticated to read mail. Pop is used to get mail from the server. This logs ip into the /var/maillogs , this is checked by logging program ( incase of cpanel Antirelayd) and this ip is added into /etc/relayhosts for 30 mins. This also relaying from that server ie SMTP connection. Adv: 2nd authentication for smtp is not needed.

15. IGNORE_ALLOW – This feature will ignore the IP addresses that are listed in csf.allow in addition to csf.ignore(default).

16. DNS_STRICT – If you want to apply strict iptables rules to DNS traffic, you can enable this option. By enabling this option, it can cause DNS resolution issues both to and from the server but could help prevent abuse of the local DNS server.

17. DENY_IP_LIMIT – Maximum number of IP addresses that can be saved in /etc/csf/csf.deny file. When an IP address is blocked using csf -d, it will check for the limit, and if the limit is reached, it will delete the old entry.

18. DENY_TEMP_IP_LIMIT – Maximum number of IP addresses kept in the temporary IP ban list.

19. LF_DAEMON – Enable login failure detection daemon (lfd). If this option is disabled, none of the settings will have any effect as the daemon wont start.

20. LF_CSF – Check whether csf appears to have been stopped and restart if necessary, unless TESTING is enabled. The check is done every 300 seconds

21. LF_QUICKSTART – By enabling this option, whenever a CLI request to restart csf is used, csf will not rebuild the iptables rules, instead it will indicate to lfd to rebuild them within LF_PARSE seconds.

22. VERBOSE – Enable verbose output of iptables commands

23. PACKET_FILTER – Enable packet filtering for unwanted or illegal packets.

24. LF_LOOKUPS – Perform reverse DNS lookups on IP addresses.

SMTP Settings

25. SMTP_BLOCK – Block outgoing SMTP except for root, exim and mailman. It is equivalent to SMTP_Tweak settings in WHM.

26. SMTP_ALLOWLOCAL – If SMTP_BLOCK is enabled but you want to allow local connections to port 25 on the server(e.g. for webmail or web scripts) then enable this option to allow outgoing SMTP connections to the loopback device

27. SMTP_PORTS – This is a comma separated list of the ports to block. It list all ports that exim is configured to listen on

28. SMTP_ALLOWUSER and SMTP_ALLOWGROUP – Allow the list of comma separated users and groups to bypass SMTP_BLOCK

Port Flood Settings

29. SYNFLOOD – This feature is used to enable syn flood protection. The idea of SYN flood protection is that you decide how many connection attempts you find acceptable from a given IP address. This option should ONLY be enabled if you know you are under a SYN flood attack as it will slow down all new connections from any IP address to the server if triggered

30. SYNFLOOD_RATE – The RATE should be set so that false-positives are kept to a minimum otherwise visitors may see connection issues

31. SYNFLOOD_BURST – If SYNFLOOD_RATE is set as 5/s and SYNFLOOD_BURST is set as 3, then it means, if 5 connections are received from an IP/sec for 3 times, then block it.

32. CONNLIMIT – This option limits the number of concurrent new connections per IP address that can be made to specific ports. It can also be used as a way to simply limit resource usage by IP address to specific server services. This option configures iptables to offer more protection from DOS attacks against specific ports. This feature does not work on servers that do not have the iptables module xt_connlimit loaded. Run /etc/csf/csftest.pl to check whether this option will function on this server.

33. PORTFLOOD – This option limits the number of new connections per time interval that can be made to specific ports. This option configures iptables to offer protection from DOS attacks against specific ports. This feature does not work on servers that do not have the iptables module ipt_recent loaded.

Logging Settings

34. SYSLOG – Log lfd messages to SYSLOG in addition to /var/log/lfd.log. The perl module Sys::Syslog should be installed to use this feature.

35. DROP – Drop target for iptables rules. This can be set to either DROP or REJECT. REJECT will send back an error packet, DROP will not respond at all.

36. DROP_LOGGING – Enable logging of dropped connections to blocked ports to syslog, usually /var/log/messages. This option needs to be enabled to use Port Scan Tracking

37. DROP_IP_LOGGING – Enable logging of dropped connections to blocked IP addresses in csf.deny or by lfd with temporary connection tracking blocks. This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL).

38. DROP_ONLYRES – Only log reserved port dropped connections (0:1023).

39. DROP_NOLOG – Commonly blocked ports that you do not want logging as they tend to just fill up the log file.

40. DROP_PF_LOGGING – Log packets dropped by the packet filtering option PACKET_FILTER

41. CONNLIMIT_LOGGING – Log packets dropped by the Connection Limit Protection option CONNLIMIT. If this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP addresses breaking the Connection Limit Protection will be blocked.

42. LOGFLOOD_ALERT – Send an alert if log file flooding is detected which causes lfd to skip log lines to prevent lfd from looping. If this alert is sent you should check the reported log file for the reason for the flooding

43. WATCH_MODE – Configure csf to watch IP addresses (with csf -w [ip]).

Reporting Settings

44. LF_ALERT_TO – LFD will send alert emails using the relevant alert template to the To: address configured within that template.

45. LF_ALERT_FROM – LFD will send alert emails using the relevant alert template to the From: address configured within that template.

Temp to Perm/Netblock Settings

46. LF_PERMBLOCK – This enables the feature to permanently block IP addresses that have been temporarily blocked more than LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds

47. LF_PERMBLOCK_INTERVAL – The time (in seconds) within which the IP address is blocked

48. LF_PERMBLOCK_COUNT – The number of times the IP address should be temporarily blocked so that it can be blocked permanently.

49. LF_PERMBLOCK_ALERT – Enable the alert feature

50. LF_NETBLOCK – Permanently block IPs by network class. By enabling this feature, it permanently block classes of IP address where individual IP addresses within the same class LF_NETBLOCK_CLASS have already been blocked more than LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds.

51. LF_NETBLOCK_INTERVAL – The time (in seconds) within which the IP address is blocked

52. LF_NETBLOCK_COUNT – The number of times the network class should be temporarily blocked so that it can be blocked permanently.

53. LF_NETBLOCK_CLASS – The network class to be blocked.

54. LF_NETBLOCK_ALERT – Enable the alert feature or not

Login Failure Blocking and Alerts

55. LF_TRIGGER – If you set LF_TRIGGER to “0”, the value of each trigger is the number of failures against that application that will trigger lfd to block the IP address. If you set LF_TRIGGER to a value greater than “0” then the application triggers are simply on or off (“0” or “1”) and the value of LF_TRIGGER is the total cumulative number of failures that will trigger lfd to block the IP address.

56. LF_TRIGGER_PERM – If LF_TRIGGER is > “0” then LF_TRIGGER_PERM can be set to “1” to permanently block the IP address, or LF_TRIGGER_PERM can be set to a value greater than “1” and the IP address will be blocked temporarily for that value in seconds. For example: LF_TRIGGER_PERM = “1” => the IP is blocked permanently LF_TRIGGER_PERM = “3600” => the IP is blocked temporarily for 1 hour

If LF_TRIGGER is “0”, then the application LF_[application]_PERM value works in the same way as above and LF_TRIGGER_PERM serves no function.

57. LF_SELECT

Account Tracking

AT_ALERT – This option enables the tracking of modifications to the accounts on server. If any of the enabled options are triggered by modification to an account, an alert mail will be sent. Only the modification is reported. The cause of the modification need to be manually investigated.

You can set AT_ALERT to the following:

  1. 0 = disable this feature
  2. 1 = enable this feature for all accounts
  3. 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)
  4. 3 = enable this feature only for the root account

AT_INTERVAL – The interval between checks in seconds

AT_NEW – Send alert if a new account is created.

AT_OLD – Send alert if an existing account is deleted

AT_PASSWD – Send alert if an account password has changed

AT_UID – Send alert if an account uid has changed

AT_GID – Send alert if an account gid has changed

AT_DIR – Send alert if an account login directory has changed

AT_SHELL – Send alert if an account login shell has changed

Advertisements
    • hardik
    • August 29th, 2013

    sir i have applied csf in webmin.i made my laptop’s dns x1.x.x.x and my dns has my site ip database as x2.x.x.x .but i want to block all conection other than 10000 80 22 .i also want dnat all request for port 80 to 3128.i added my ip in csf.allow of this and my csf firewall is installed on server x2.x.x.x .pleae help me this is not working.and give me rule for allowing all port open for localhost.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: