To configure CSF to send mails alert during invalid SSH/cPanel login attempts, configure LF_ALERT_TO="your email address" . Now restart csf and lfd service. This can be verified by try login to the server with invalid login credentails and check the mail is send from the exim(cPanel MTA) log >> /var/log/exim_mainlog
CSF Configuration ParametersSome of the important CSF configuration parameters that we should know and its details:
1. TESTING – This will set the CSF in testing mode or in active mode. If the variable TESTING is set as 1 then it is in testing mode. If it is set as 0, then testing mode is disabled. LFD will not start when testing mode is enabled. 2. TESTING_INTERVAL – If CSF is in the testing mode, a cron job will be set to run in the interval of the time set for the variable “TESTING_INTERVAL”. This is set so that all the rules which are added to the csf firewall will be deleted after TESTING_INTERVAL. If CSF is in active mode, no cron job will be set to run. 3. AUTO_UPDATES – If auto update is enabled, a cron job called /etc/cron.d/csf_update will run once per day to see if there is an update to csf+lfd and upgrades if available and restarts csf and lfd. On upgrading, it will not overwrite configuration files or email templates. Once the update is made, an email will be sent to root account. Port Settings 4. TCP_IN – Allow incoming TCP ports. The ports are added with a comma separated list. You can also add a range of ports using the colon symbol like 30000:35000. 5. TCP_OUT – Allow outgoing TCP ports. 6. UDP_IN – Allow incoming UDP ports. 7. UDP_OUT – Allow outgoing UDP ports. Traceroute is using UDP protocol and if you want to allow outgoing traceroute, add 33434:33523 to this list 8. ICMP_IN – Allow incoming PING 9. ICMP_IN_RATE – Set the per IP address incoming ICMP packet rate 10. ICMP_OUT – Allow outgoing PING 11. ICMP_OUT_RATE – Set the per IP address outgoing ICMP packet rate. e.g. “1/s” General Settings 12. ETH_DEVICE – Specify the NIC whose iptables rules need to be applied. By default, csf will auto-configure iptables to filter all traffic except on loopback device. 13. ETH_DEVICE_SKIP – If iptable rules applied to specific NICs need not be added, you can list those NICs in this variable. 14. RELAYHOSTS – This feature enable the pop before smtp function. POP before smtp is that you can send mail if u authenticated to read mail. Pop is used to get mail from the server. This logs ip into the /var/maillogs , this is checked by logging program ( incase of cpanel Antirelayd) and this ip is added into /etc/relayhosts for 30 mins. This also relaying from that server ie SMTP connection. Adv: 2nd authentication for smtp is not needed. 15. IGNORE_ALLOW – This feature will ignore the IP addresses that are listed in csf.allow in addition to csf.ignore(default). 16. DNS_STRICT – If you want to apply strict iptables rules to DNS traffic, you can enable this option. By enabling this option, it can cause DNS resolution issues both to and from the server but could help prevent abuse of the local DNS server. 17. DENY_IP_LIMIT – Maximum number of IP addresses that can be saved in /etc/csf/csf.deny file. When an IP address is blocked using csf -d, it will check for the limit, and if the limit is reached, it will delete the old entry. 18. DENY_TEMP_IP_LIMIT – Maximum number of IP addresses kept in the temporary IP ban list. 19. LF_DAEMON – Enable login failure detection daemon (lfd). If this option is disabled, none of the settings will have any effect as the daemon wont start. 20. LF_CSF – Check whether csf appears to have been stopped and restart if necessary, unless TESTING is enabled. The check is done every 300 seconds 21. LF_QUICKSTART – By enabling this option, whenever a CLI request to restart csf is used, csf will not rebuild the iptables rules, instead it will indicate to lfd to rebuild them within LF_PARSE seconds. 22. VERBOSE – Enable verbose output of iptables commands 23. PACKET_FILTER – Enable packet filtering for unwanted or illegal packets. 24. LF_LOOKUPS – Perform reverse DNS lookups on IP addresses. SMTP Settings 25. SMTP_BLOCK – Block outgoing SMTP except for root, exim and mailman. It is equivalent to SMTP_Tweak settings in WHM. 26. SMTP_ALLOWLOCAL – If SMTP_BLOCK is enabled but you want to allow local connections to port 25 on the server(e.g. for webmail or web scripts) then enable this option to allow outgoing SMTP connections to the loopback device 27. SMTP_PORTS – This is a comma separated list of the ports to block. It list all ports that exim is configured to listen on 28. SMTP_ALLOWUSER and SMTP_ALLOWGROUP – Allow the list of comma separated users and groups to bypass SMTP_BLOCK Port Flood Settings 29. SYNFLOOD – This feature is used to enable syn flood protection. The idea of SYN flood protection is that you decide how many connection attempts you find acceptable from a given IP address. This option should ONLY be enabled if you know you are under a SYN flood attack as it will slow down all new connections from any IP address to the server if triggered 30. SYNFLOOD_RATE – The RATE should be set so that false-positives are kept to a minimum otherwise visitors may see connection issues 31. SYNFLOOD_BURST – If SYNFLOOD_RATE is set as 5/s and SYNFLOOD_BURST is set as 3, then it means, if 5 connections are received from an IP/sec for 3 times, then block it. 32. CONNLIMIT – This option limits the number of concurrent new connections per IP address that can be made to specific ports. It can also be used as a way to simply limit resource usage by IP address to specific server services. This option configures iptables to offer more protection from DOS attacks against specific ports. This feature does not work on servers that do not have the iptables module xt_connlimit loaded. Run /etc/csf/csftest.pl to check whether this option will function on this server. 33. PORTFLOOD – This option limits the number of new connections per time interval that can be made to specific ports. This option configures iptables to offer protection from DOS attacks against specific ports. This feature does not work on servers that do not have the iptables module ipt_recent loaded. Logging Settings 34. SYSLOG – Log lfd messages to SYSLOG in addition to /var/log/lfd.log. The perl module Sys::Syslog should be installed to use this feature. 35. DROP – Drop target for iptables rules. This can be set to either DROP or REJECT. REJECT will send back an error packet, DROP will not respond at all. 36. DROP_LOGGING – Enable logging of dropped connections to blocked ports to syslog, usually /var/log/messages. This option needs to be enabled to use Port Scan Tracking 37. DROP_IP_LOGGING – Enable logging of dropped connections to blocked IP addresses in csf.deny or by lfd with temporary connection tracking blocks. This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL). 38. DROP_ONLYRES – Only log reserved port dropped connections (0:1023). 39. DROP_NOLOG – Commonly blocked ports that you do not want logging as they tend to just fill up the log file. 40. DROP_PF_LOGGING – Log packets dropped by the packet filtering option PACKET_FILTER 41. CONNLIMIT_LOGGING – Log packets dropped by the Connection Limit Protection option CONNLIMIT. If this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP addresses breaking the Connection Limit Protection will be blocked. 42. LOGFLOOD_ALERT – Send an alert if log file flooding is detected which causes lfd to skip log lines to prevent lfd from looping. If this alert is sent you should check the reported log file for the reason for the flooding 43. WATCH_MODE – Configure csf to watch IP addresses (with csf -w [ip]). Reporting Settings 44. LF_ALERT_TO – LFD will send alert emails using the relevant alert template to the To: address configured within that template. 45. LF_ALERT_FROM – LFD will send alert emails using the relevant alert template to the From: address configured within that template. Temp to Perm/Netblock Settings 46. LF_PERMBLOCK – This enables the feature to permanently block IP addresses that have been temporarily blocked more than LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds 47. LF_PERMBLOCK_INTERVAL – The time (in seconds) within which the IP address is blocked 48. LF_PERMBLOCK_COUNT – The number of times the IP address should be temporarily blocked so that it can be blocked permanently. 49. LF_PERMBLOCK_ALERT – Enable the alert feature 50. LF_NETBLOCK – Permanently block IPs by network class. By enabling this feature, it permanently block classes of IP address where individual IP addresses within the same class LF_NETBLOCK_CLASS have already been blocked more than LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. 51. LF_NETBLOCK_INTERVAL – The time (in seconds) within which the IP address is blocked 52. LF_NETBLOCK_COUNT – The number of times the network class should be temporarily blocked so that it can be blocked permanently. 53. LF_NETBLOCK_CLASS – The network class to be blocked. 54. LF_NETBLOCK_ALERT – Enable the alert feature or not Login Failure Blocking and Alerts 55. LF_TRIGGER – If you set LF_TRIGGER to “0″, the value of each trigger is the number of failures against that application that will trigger lfd to block the IP address. If you set LF_TRIGGER to a value greater than “0″ then the application triggers are simply on or off (“0″ or “1″) and the value of LF_TRIGGER is the total cumulative number of failures that will trigger lfd to block the IP address. 56. LF_TRIGGER_PERM – If LF_TRIGGER is > “0″ then LF_TRIGGER_PERM can be set to “1″ to permanently block the IP address, or LF_TRIGGER_PERM can be set to a value greater than “1″ and the IP address will be blocked temporarily for that value in seconds. For example: LF_TRIGGER_PERM = “1″ => the IP is blocked permanently LF_TRIGGER_PERM = “3600″ => the IP is blocked temporarily for 1 hour If LF_TRIGGER is “0″, then the application LF_[application]_PERM value works in the same way as above and LF_TRIGGER_PERM serves no function. 57. LF_SELECT Account Tracking AT_ALERT – This option enables the tracking of modifications to the accounts on server. If any of the enabled options are triggered by modification to an account, an alert mail will be sent. Only the modification is reported. The cause of the modification need to be manually investigated. You can set AT_ALERT to the following:
AT_NEW – Send alert if a new account is created. AT_OLD – Send alert if an existing account is deleted AT_PASSWD – Send alert if an account password has changed AT_UID – Send alert if an account uid has changed AT_GID – Send alert if an account gid has changed AT_DIR – Send alert if an account login directory has changed AT_SHELL – Send alert if an account login shell has changed Add the following line in your /etc/csf/csf.allow on both the server,
vi /etc/my.cnfport = 3306 bind-address=YOUR-SERVER-IP # skip-networking -- Hash this entry /etc/init.d/mysql restart Grant access to remote IP address Login to MySQL mysql -u root –p mysql If the remote Ip is 123.12.12.21 then use the below command GRANT ALL ON db.* TO dbuser@'123.12.12.21' IDENTIFIED BY 'PASSWORD'; Then, allow access using the below command, tcp|in|d=3306|s=192.168.x.x tcp|out|d=3306|d=192.168.x.x Restart csf with : csf -r |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
September 2014
Categories |