Instructions for installing and configuring anti-DoS CSF, anti-Hack (ConfigServer & Firewall) - P2 configuration
Thứ Hai, 26 tháng 5, 2014
Instructions for installing and configuring anti-DoS CSF, anti-Hack (ConfigServer & Firewall) - P2 configuration
- The configuration file is located in / etc / CSF / csf.conf, the rest of the files mentioned below is not clear if the path are located in the directory / etc / CSF /
- The configuration parameters when the form ARGS = "VALUE", in which
+ VALUE = "0" => Disable
+ VALUE = "1" => Enable
+ VALUE> 1 (value = "20" VALUE = "30" ...): the maximum limit.
+ VALUE> 1 (value = "1800" VALUE = "3600" ...): maximum time.
Start:
Code:
TESTING = "0"
Default settings when both TESTING = "1", with TESTING = "1", the daemon LFD (Login Fail Detect daemon) will not work, so if there is something wrong, the server will not block your IP.When you feel stable configuration, the LFD off TESTING to begin operation and stop the attacking IP.
Code:
TESTING_INTERVAL = "5"
Time to clear iptables run cronjob if TESTING = 1, in minutes.
Code:
AUTO_UPDATES = "0"
Disable auto update
Code:
TCP_IN = "22,25,53,80,443"
Allow incoming TCP ports: for users to connect to the SSH service, sendmail, DNS, Web server.
Code:
TCP_OUT = "25.80"
Allow outgoing TCP ports: allow the server to connect to the web server, sendmail server to another.
Code:
UDP_IN = "53"
Allow incoming UDP ports: allow the user to use the DNS service on the server.
Code:
UDP_OUT = "53"
Allow outgoing UDP ports: allow external DNS server query.
Code:
ICMP_IN = "1"
Allow ping to the server.
Code:
ICMP_IN_RATE = "1 / s"
Frequency limit ping to the server is 1 / s. If ping faster than this speed will get "Request timeout". In many cases if the ping to the server at the same time, the majority will get the response "Request timeout" because the server only received one request / s, this makes us mistakenly network connectivity problems, network flutter was but it was not so. Just lift up parameters or giving up a little high (set value = 0) will remedy this situation.
Code:
ETH_DEVICE = "eth0"
CSF will default configuration iptables to filter all traffic on the network card, except the loopback interface. If you only want iptables rules áp in network card "eth0" the report here.
Code:
ETH_DEVICE_SKIP = "eth1"
If you do not want iptables rules no network card does áp to report here. For example, card "eth1" is the local card, you do not want to filter on this card are configured as above.
Code:
DENY_IP_LIMIT = "500
"
Limit the number of IP blocks are "permanently" by CSF (the IP is stored in the file / etc / CSF / csf.deny). This number depends on the resource of each server, if you use VPS, this figure is about "200" is reasonable, and the dedicated server is about "500". When the number of IP blocks to overcome the figure, CSF will automatically unblock the oldest IP (IP in line 1 of the file / etc / CSF / csf.deny)
Code:
LF_DAEMON = "1"
Login Enables detection fail.
Code:
LF_CSF = "1"
Automatic restart when CSF CSF has been stopped.
Code:
PACKET_FILTER = "1"
TCP packets Filter invalid (INVALID state, such as sequence number is not correct, no connection is made through the 3 step handshake enough ...)
Code:
IPV6 = "0"
Disable IPv6 support
Code:
SYNFLOOD = "1" SYNFLOOD_RATE = "30 / s" SYNFLOOD_BURST = "40"
Enable synflood protection: If 1 IP SYN sent 30 clicks within 1s and the number of SYN connection exists on the server reaches over 40 IP block (block temp)
Code:
CONNLIMIT = "80, 20"
Limit the number of concurrent connection to the new server on each IP. The above example means: each IP is allowed to open 20 new concurrent connection to port 80 on the server.
Code:
PORTFLOOD = "80, tcp, 20; 5"
Limit the number of connection to a specific port in a certain period of time. For example, the above means: if more than 20 TCP connections to port 80 within 5 seconds, the minimum 5s block that IP from the IP packet's final. After 5s IP will automatically be unlocked and accessed normally.
Code:
DROP_NOLOG = "10050.10051"
List of port if the drop will not need to write to the log
Code:
CONNLIMIT_LOGGING = "1"
Remember log the IP CONNLIMIT exceeded configured in the previous step.
Code:
LF_ALERT_TO = "your_email@your_domain.com"
By default, the entire email message will be sent to the root of the server. If you want to send to other email address in this report.
Code:
LF_PERMBLOCK = "1" LF_PERMBLOCK_INTERVAL = "86400" LF_PERMBLOCK_COUNT = "6" LF_PERMBLOCK_ALERT = "1"
Enables an IP block permanently. If a temp IP ban (temporary ban) 6 times for violations of this rule will block ip 86400s (1 day) and email the board administrator.
Code:
LF_TRIGGER = "1"
Login Fail Detect Enable features for each particular service (declared below)
Code:
LF_TRIGGER_PERM = "1"
When LF_TRIGGER = "1", you can enable LF_TRIGGER_PERM to enable IP blocks permanent
+ LF_TRIGGER_PERM = "1" => the IP block will be permanent
LF_TRIGGER_PERM + = "86400" => IP block will be 1 day
Code:
LF_SELECT = "1"
When an IP violation of the rule of LFD instead of blocking all traffic from the IP to the server, the only block traffic to this IP services login fail (eg ftp login wrong many times, block access to FTP but still allow visit website)
Code:
LF_EMAIL_ALERT = "1"
Send an email notification if an IP is blocked by the trigger below
Code:
LF_SSHD = "5" LF_SSHD_PERM = "1"
If SSH login will be wrong 5 times the IP block (block temp)
If temp is greater than the number of blocks specified in LF_PERMBLOCK_COUNT (configuration steps above), it will block permanent.
Code:
LF_FTPD = "0" LF_FTPD_PERM = "1"
No login fail detect enabled for FTP services.
Similarly for the remaining services below (SMTP, POP3, IMAP,. Htpasswd, mod_security ...)
LF_SSH_EMAIL_ALERT = "0"
Do not send e-mail notification when someone successfully login via SSH
LF_SU_EMAIL_ALERT = "0"
No email notification when a user "su" (switch user) through other users. Do not send emails when they use the "su" command, regardless of the "su" success or failure.
Code:
LF_DIRWATCH = "3600"
LFD will check the directory / tmp and / dev / shm periodically after every 3600s, if detected suspicious files as malicious files emailed to us. Often on the directory server, / temp and / dev / shm permissions to allow all users have write permissions on this folder, so the attacker takes advantage of this to write malicious code in here (the file to connect back, local root exploit ...)
Code:
LF_DIRWATCH_DISABLE = "1"
When detected suspicious files in the directory / tmp and / dev / shm to them from mv 2 and append the directory on the file / etc / CSF / suspicious.tar convenient for us to monitor and analyze the somewhat later and disable the attacker attacks.
Code:
LF_DIRWATCH_FILE = "60"
Tracking changes of files and folders, if any changes to email us informed. To track files / folders then add them to the file csf.dirwatch. Configuration as in the 60s ran 1 times.
Code:
LF_INTEGRITY = "0"
Check the integrity of the operating system by comparing the MD5 of the binary file when LFD start of the file with MD5 check time. If different, then will send an email notification. This feature may work incorrectly when update system and will increase I / O, the server load due to MD5 calculations many times.
Code:
LF_DISTATTACK = "0"
Detect brute force attacks from botnets. If an account was incorrect login limit allows many different IP block entire IP will have login wrong.
Code:
LF_DISTATTACK_UNIQ = "2"
Minimum number of IP identifies this as distributed attacks.
Code:
LT_POP3D = "30"
Block POP3 login if an account is logged in more than 30 times in one hour from one IP.Same for LT_IMAPD.
Code:
LT_EMAIL_ALERT = "0"
Send email when an account exceeds the allowed limit of LT_IMAPD and LT_POP3D
Code:
LT_SKIPPERMBLOCK = "0"
Do not apply for permanent block LT_POP3D/LT_IMAPD
Code:
CT_LIMIT = "300"
Limit the number from an IP connection to server. If this number exceeds 300, the IP block that temp.
Code:
CT_INTERVAL = "30"
The scan time 30 seconds apart to check.
Code:
CT_EMAIL_ALERT = "1"
Send an email notification if an IP is blocked by the connection tracking.
Code:
CT_PERMANENT = "0"
Disable permanent block for connectiong tracking.
Code:
CT_BLOCK_TIME = "1800"
Time block an IP if the limit violation Connection tracking.
Code:
CT_SKIP_TIME_WAIT = "0"
When counting the number 1 IP connection to the server, then ignore TIME_WAIT state of the connection, not counting this state.
Code:
CT_STATES = "SYN_RECV"
Just count the connection status SYN_RECV
Code:
CT_PORTS = "80,443"
Only applies to connection tracking connections to port 80 and 443.
Code:
PS_INTERVAL = "300" PS_LIMIT = "15"
In the 500s if more than connections to port 15 on the server will not have that IP block.
Code:
PS_PORTS = "0:65535, ICMP"
Limit port range will be monitored.
Code:
PS_PERMANENT = "0"
IP Port Scan Tracking block by block will be temp or permanent:
PS_PERMANENT = "0": temp IP block
PS_PERMANENT = "1": permanent IP blocked.
Code:
PS_BLOCK_TIME = "3600"
If PS_PERMANENT = "0", then this is the time of an IP block temp.
Code:
PS_EMAIL_ALERT = "1"
Send email notification when a blocked IP.
CSF default, all email sent to the address configured in the "LF_ALERT_TO", if you want a special case that some messages sent to email, you can run one of the following commands (remember to select the correct Part alert want to send the command to run) perl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/connectiontracking.
txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/exploitalert.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/filealert.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/loadalert.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/logfloodalert.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/netblock.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/permblock.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/portknocking.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/portscan.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/resalert.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/scriptalert.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/tracking.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/usertracking.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/watchalert.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/x-arf.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/alert.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/sshalert.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/processtracking.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/sualert.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/integrityalert.txtperl -i -p -e 's/To: root/To: your_email\@gmail.com/g;' /etc/csf/accounttracking.txt
With :
/etc/csf/alert.txt - for port blocking emails
/etc/csf/tracking.txt - for POP3/IMAP blocking emails
/etc/csf/connectiontracking.txt - for connection tracking emails
/etc/csf/processtracking.txt - for process tracking alert emails
/etc/csf/usertracking.txt - for user process tracking alert emails
/etc/csf/sshalert.txt - for SSH login emails
/etc/csf/sualert.txt - for SU alert emails
/etc/csf/uialert.txt - for UI alert emails
/etc/csf/scriptalert.txt - for script alert emails
/etc/csf/filealert.txt - for suspicious file alert emails
/etc/csf/watchalert.txt - for watched file and directory change alert emails
/etc/csf/loadalert.txt - for high load average alert emails
/etc/csf/resalert.txt - for process resource alert emails
/etc/csf/exploitalert.txt - for system exploit alert emails
/etc/csf/integrityalert.txt - for system integrity alert emails
/etc/csf/relayalert.txt - for email relay alert emails
/etc/csf/portscan.txt - for port scan tracking alert emails
/etc/csf/permblock.txt - for temporary to permanent block alert emails
/etc/csf/netblock.txt - for netblock alert emails
/etc/csf/accounttracking.txt - for account tracking alert emails
/etc/csf/queuealert.txt - for email queue alert emails
/etc/csf/logfloodalert.txt - for log file flooding alert emails
/etc/csf/cpanelalert.txt - for WHM/cPanel account access emails
/etc/csf/portknocking.txt - for Port Knocking alert emails
All comments [ 2 ]
I find your opinion quite interesting thanks for posting.Please visit once at https://www.ddoscube.com.
Your comments