-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Login Failure Blocking and Alerts
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp The following[*] triggers are application specific. If you set LF_TRIGGER to
-sharp "0" the value of each trigger is the number of failures against that
-sharp application that will trigger lfd to block the IP address
-sharp
-sharp If you set LF_TRIGGER to a value greater than "0" then the following[*]
-sharp application triggers are simply on or off ("0" or "1") and the value of
-sharp LF_TRIGGER is the total cumulative number of failures that will trigger lfd
-sharp to block the IP address
-sharp
-sharp Setting the application trigger to "0" disables it
LF_TRIGGER = "0"

-sharp If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
-sharp block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
-sharp "1" and the IP address will be blocked temporarily for that value in seconds.
-sharp For example:
-sharp LF_TRIGGER_PERM = "1" => the IP is blocked permanently
-sharp LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
-sharp
-sharp If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
-sharp in the same way as above and LF_TRIGGER_PERM serves no function
LF_TRIGGER_PERM = "1"

-sharp To only block access to the failed application instead of a complete block
-sharp for an ip address, you can set the following to "1", but LF_TRIGGER must be
-sharp set to "0" with specific application[*] trigger levels also set appropriately
-sharp
-sharp The ports that are blocked can be configured by changing the PORTS_* options
LF_SELECT = "0"

-sharp Send an email alert if an IP address is blocked by one of the [*] triggers
LF_EMAIL_ALERT = "1"

-sharp [*]Enable login failure detection of sshd connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_SSHD = "5"
LF_SSHD_PERM = "1"

-sharp [*]Enable login failure detection of ftp connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_FTPD = "10"
LF_FTPD_PERM = "1"

-sharp [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"

-sharp [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"

-sharp [*]Enable login failure detection of pop3 connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = "0"
LF_POP3D_PERM = "1"

-sharp [*]Enable login failure detection of imap connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = "0"
LF_IMAPD_PERM = "1"

-sharp [*]Enable login failure detection of Apache .htpasswd connections
-sharp Due to the often high logging rate in the Apache error log, you might want to
-sharp enable this option only if you know you are suffering from attacks against
-sharp password protected directories
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"

-sharp [*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"

-sharp [*]Enable detection of repeated BIND denied requests
-sharp This option should be enabled with care as it will prevent blocked IPs from
-sharp resolving any domains on the server. You might want to set the trigger value
-sharp reasonably high to avoid this
-sharp Example: LF_BIND = "100"
LF_BIND = "0"
LF_BIND_PERM = "1"

-sharp [*]Enable detection of repeated suhosin ALERTs
-sharp Example: LF_SUHOSIN = "5"
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_SUHOSIN = "0"
LF_SUHOSIN_PERM = "1"

-sharp [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
-sharp This option will block IP addresses if cxs detects a hits from the
-sharp ModSecurity rule associated with it
-sharp
-sharp Note: This option takes precedence over LF_MODSEC and removes any hits
-sharp counted towards LF_MODSEC for the cxs rule
-sharp
-sharp This setting should probably set very low, perhaps to 1, if you want to
-sharp effectively block IP addresses for this trigger option
LF_CXS = "0"
LF_CXS_PERM = "1"

-sharp [*]Enable detection of repeated Apache mod_qos rule triggers
LF_QOS = "0"
LF_QOS_PERM = "1"

-sharp [*]Enable detection of repeated Apache symlink race condition triggers from
-sharp the Apache patch provided by:
-sharp http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
-sharp This patch has also been included by cPanel via the easyapache option:
-sharp "Symlink Race Condition Protection"
LF_SYMLINK = "0"
LF_SYMLINK_PERM = "1"

-sharp [*]Enable login failure detection of webmin connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN = "0"
LF_WEBMIN_PERM = "1"

-sharp Send an email alert if anyone logs in successfully using SSH
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_SSH_EMAIL_ALERT = "1"

-sharp Send an email alert if anyone uses su to access another account. This will
-sharp send an email alert whether the attempt to use su was successful or not
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_SU_EMAIL_ALERT = "1"

-sharp Send an email alert if anyone accesses webmin
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN_EMAIL_ALERT = "1"

-sharp Send an email alert if anyone logs in successfully to root on the console
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_CONSOLE_EMAIL_ALERT = "1"

-sharp This option will keep track of the number of "File does not exist" errors in
-sharp HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
-sharp seconds then the IP address will be blocked
-sharp
-sharp Care should be used with this option as it could generate many
-sharp false-positives, especially Search Bots (use csf.rignore to ignore such bots)
-sharp so only use this option if you know you are under this type of attack
-sharp
-sharp A sensible setting for this would be quite high, perhaps 200
-sharp
-sharp To disable set to "0"
LF_APACHE_404 = "0"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_APACHE_404_PERM = "3600"

-sharp This option will keep track of the number of "client denied by server
-sharp configuration" errors in HTACCESS_LOG. If the number of hits is more than
-sharp LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
-sharp
-sharp Care should be used with this option as it could generate many
-sharp false-positives, especially Search Bots (use csf.rignore to ignore such bots)
-sharp so only use this option if you know you are under this type of attack
-sharp
-sharp A sensible setting for this would be quite high, perhaps 200
-sharp
-sharp To disable set to "0"
LF_APACHE_403 = "0"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_APACHE_403_PERM = "3600"

-sharp This option will keep track of the number of 401 failures in HTACCESS_LOG.
-sharp If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then
-sharp the IP address will be blocked
-sharp
-sharp To disable set to "0"
LF_APACHE_401 = "0"

-sharp This option is used to determine if the Apache error_log format contains the
-sharp client port after the client IP. In Apache prior to v2.4, this was not the
-sharp case. In Apache v2.4+ the error_log format can be configured using
-sharp ErrorLogFormat, making the port directive optional
-sharp
-sharp Unfortunately v2.4 ErrorLogFormat places the port number after a colon next
-sharp to the client IP by default. This makes determining client IPv6 addresses
-sharp difficult unless we know whether the port is being appended or not
-sharp
-sharp lfd will attempt to autodetect the correct value if this option is set to "0"
-sharp from the httpd binary found in common locations. If it fails to find a binary
-sharp it will be set to "2", unless specified here
-sharp
-sharp The value can be set here explicitly if the autodetection does not work:
-sharp 0 - autodetect
-sharp 1 - no port directive after client IP
-sharp 2 - port directive after client IP
LF_APACHE_ERRPORT = "0"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_APACHE_401_PERM = "3600"

-sharp This option will send an alert if the ModSecurity IP persistent storage grows
-sharp excessively large: https://goo.gl/rGh5sF
-sharp
-sharp More information on cPanel servers here: https://goo.gl/vo6xTE
-sharp
-sharp LF_MODSECIPDB_FILE must be set to the correct location of the database file
-sharp
-sharp The check is performed at lfd startup and then once per hour, the template
-sharp used is modsecipdbalert.txt
-sharp
-sharp Set to "0" to disable this option, otherwise it is the threshold size of the
-sharp file to report in gigabytes, e.g. set to 5 for 5GB
LF_MODSECIPDB_ALERT = "0"

-sharp This is the location of the persistent IP storage file on the server, e.g.:
-sharp /var/run/modsecurity/data/ip.pag
-sharp /var/cpanel/secdatadir/ip.pag
-sharp /var/cache/modsecurity/ip.pag
-sharp /usr/local/apache/conf/modsec/data/msa/ip.pag
-sharp /var/tmp/ip.pag
-sharp /tmp/ip.pag
LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"

-sharp System Exploit Checking. This option is designed to perform a series of tests
-sharp to send an alert in case a possible server compromise is detected
-sharp
-sharp To enable this feature set the following to the checking interval in seconds
-sharp (a value of 300 would seem sensible).
-sharp
-sharp To disable set to "0"
LF_EXPLOIT = "300"

-sharp This comma separated list allows you to ignore tests LF_EXPLOIT performs
-sharp
-sharp For the SUPERUSER check, you can list usernames in csf.suignore to have them
-sharp ignored for that test
-sharp
-sharp Valid tests are:
-sharp SUPERUSER,SSHDSPAM
-sharp
-sharp If you want to ignore a test add it to this as a comma separated list, e.g.
-sharp "SUPERUSER,SSHDSPAM"
LF_EXPLOIT_IGNORE = ""

-sharp Set the time interval to track login and other LF_ failures within (seconds),
-sharp i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
LF_INTERVAL = "3600"

-sharp This is how long the lfd process sleeps (in seconds) before processing the
-sharp log file entries and checking whether other events need to be triggered
LF_PARSE = "5"

-sharp This is the interval that is used to flush reports of usernames, files and
-sharp pids so that persistent problems continue to be reported, in seconds.
-sharp A value of 3600 seems sensible
LF_FLUSH = "3600"

-sharp Under some circumstances iptables can fail to include a rule instruction,
-sharp especially if more than one request is made concurrently. In this event, a
-sharp permanent block entry may exist in csf.deny, but not in iptables.
-sharp
-sharp This option instructs csf to deny an already blocked IP address the number
-sharp of times set. The downside, is that there will be multiple entries for an IP
-sharp address in csf.deny and possibly multiple rules for the same IP address in
-sharp iptables. This needs to be taken into consideration when unblocking such IP
-sharp addresses.
-sharp
-sharp Set to "0" to disable this feature. Do not set this too high for the reasons
-sharp detailed above (e.g. "5" should be more than enough)
LF_REPEATBLOCK = "0"

-sharp By default csf will create both an inbound and outbound blocks from/to an IP
-sharp unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
-sharp effective way to block IP traffic. This option instructs csf to only block
-sharp inbound traffic from those IP's and so reduces the number of iptables rules,
-sharp but at the expense of less effectiveness. For this reason we recommend
-sharp leaving this option disabled
-sharp 
-sharp Set to "0" to disable this feature - the default
LF_BLOCKINONLY = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:CloudFlare
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp This features provides interaction with the CloudFlare Firewall
-sharp
-sharp As CloudFlare is a reverse proxy, any attacking IP addresses (so far as 
-sharp iptables is concerned) come from the CloudFlare IP's. To counter this, an
-sharp Apache module (mod_cloudflare) is available that obtains the true attackers
-sharp IP from a custom HTTP header record (similar functionality is available
-sharp for other HTTP daemons
-sharp
-sharp However, despite now knowing the true attacking IP address, iptables cannot
-sharp be used to block that IP as the traffic is still coming from the CloudFlare
-sharp servers
-sharp
-sharp CloudFlare have provided a Firewall feature within the user account where
-sharp rules can be added to block, challenge or whitelist IP addresses
-sharp
-sharp Using the CloudFlare API, this feature adds and removes attacking IPs from
-sharp that firewall and provides CLI (and via the UI) additional commands
-sharp
-sharp See /etc/csf/readme.txt for more information about this feature and the
-sharp restrictions for its use BEFORE enabling this feature
CF_ENABLE = "0"

-sharp This can be set to either "block" or "challenge" (see CloudFlare docs)
CF_BLOCK = "block"

-sharp This setting determines how long the temporary block will apply within csf
-sharp and CloudFlare, keeping them in sync
-sharp
-sharp Block duration in seconds - overrides perm block or time of individual blocks
-sharp in lfd for block triggers
CF_TEMP = "3600"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Directory Watching & Integrity 
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Enable Directory Watching. This enables lfd to check /tmp and /dev/shm
-sharp directories for suspicious files, i.e. script exploits. If a suspicious
-sharp file is found an email alert is sent. One alert per file per LF_FLUSH
-sharp interval is sent
-sharp
-sharp To enable this feature set the following to the checking interval in seconds.
-sharp To disable set to "0"
LF_DIRWATCH = "300"

-sharp To remove any suspicious files found during directory watching, enable the
-sharp following. These files will be appended to a tarball in
-sharp /var/lib/csf/suspicious.tar
LF_DIRWATCH_DISABLE = "0"

-sharp This option allows you to have lfd watch a particular file or directory for
-sharp changes and should they change and email alert using watchalert.txt is sent
-sharp
-sharp To enable this feature set the following to the checking interval in seconds
-sharp (a value of 60 would seem sensible) and add your entries to csf.dirwatch
-sharp
-sharp Set to disable set to "0"
LF_DIRWATCH_FILE = "0"

-sharp System Integrity Checking. This enables lfd to compare md5sums of the
-sharp servers OS binary application files from the time when lfd starts. If the
-sharp md5sum of a monitored file changes an alert is sent. This option is intended
-sharp as an IDS (Intrusion Detection System) and is the last line of detection for
-sharp a possible root compromise.
-sharp
-sharp There will be constant false-positives as the servers OS is updated or
-sharp monitored application binaries are updated. However, unexpected changes
-sharp should be carefully inspected.
-sharp
-sharp Modified files will only be reported via email once.
-sharp
-sharp To enable this feature set the following to the checking interval in seconds
-sharp (a value of 3600 would seem sensible). This option may increase server I/O
-sharp load onto the server as it checks system binaries.
-sharp
-sharp To disable set to "0"
LF_INTEGRITY = "3600"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Distributed Attacks
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Distributed Account Attack. This option will keep track of login failures
-sharp from distributed IP addresses to a specific application account. If the
-sharp number of failures matches the trigger value above, ALL of the IP addresses
-sharp involved in the attack will be blocked according to the temp/perm rules above
-sharp
-sharp Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, 
-sharp LF_HTACCESS
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_DISTATTACK = "0"

-sharp Set the following to the minimum number of unique IP addresses that trigger
-sharp LF_DISTATTACK
LF_DISTATTACK_UNIQ = "2"

-sharp Distributed FTP Logins. This option will keep track of successful FTP logins.
-sharp If the number of successful logins to an individual account is at least
-sharp LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
-sharp then all of the IP addresses will be blocked
-sharp
-sharp This option can help mitigate the common FTP account compromise attacks that
-sharp use a distributed network of zombies to deface websites
-sharp
-sharp A sensible setting for this might be 5, depending on how many different
-sharp IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL
-sharp
-sharp To disable set to "0"
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_DISTFTP = "0"

-sharp Set the following to the minimum number of unique IP addresses that trigger
-sharp LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
LF_DISTFTP_UNIQ = "3"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_DISTFTP_PERM = "1"

-sharp Send an email alert if LF_DISTFTP is triggered
LF_DISTFTP_ALERT = "1"

-sharp Distributed SMTP Logins. This option will keep track of successful SMTP
-sharp logins. If the number of successful logins to an individual account is at
-sharp least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP
-sharp addresses, then all of the IP addresses will be blocked. These options only
-sharp apply to the exim MTA
-sharp
-sharp This option can help mitigate the common SMTP account compromise attacks that
-sharp use a distributed network of zombies to send spam
-sharp
-sharp A sensible setting for this might be 5, depending on how many different
-sharp IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL
-sharp
-sharp To disable set to "0"
LF_DISTSMTP = "0"

-sharp Set the following to the minimum number of unique IP addresses that trigger
-sharp LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
LF_DISTSMTP_UNIQ = "3"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_DISTSMTP_PERM = "1"

-sharp Send an email alert if LF_DISTSMTP is triggered
LF_DISTSMTP_ALERT = "1"

-sharp This is the interval during which a distributed FTP or SMTP attack is
-sharp measured
LF_DIST_INTERVAL = "300"

-sharp If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the
-sharp path to a script, it will run the script and pass the following as arguments:
-sharp
-sharp LF_DISTFTP/LF_DISTSMTP
-sharp account name
-sharp log file text
-sharp
-sharp The action script must have the execute bit and interpreter (shebang) set
LF_DIST_ACTION = ""

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Login Tracking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Block POP3 logins if greater than LT_POP3D times per hour per account per IP
-sharp address (0=disabled)
-sharp
-sharp This is a temporary block for the rest of the hour, afterwhich the IP is
-sharp unblocked
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LT_POP3D = "0"

-sharp Block IMAP logins if greater than LT_IMAPD times per hour per account per IP
-sharp address (0=disabled) - not recommended for IMAP logins due to the ethos
-sharp within which IMAP works. If you want to use this, setting it quite high is
-sharp probably a good idea
-sharp
-sharp This is a temporary block for the rest of the hour, afterwhich the IP is
-sharp unblocked
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LT_IMAPD = "0"

-sharp Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
-sharp per IP
LT_EMAIL_ALERT = "1"

-sharp If LF_PERMBLOCK is enabled but you do not want this to apply to
-sharp LT_POP3D/LT_IMAPD, then enable this option
LT_SKIPPERMBLOCK = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Connection Tracking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Connection Tracking. This option enables tracking of all connections from IP
-sharp addresses to the server. If the total number of connections is greater than
-sharp this value then the offending IP address is blocked. This can be used to help
-sharp prevent some types of DOS attack.
-sharp
-sharp Care should be taken with this option. It's entirely possible that you will
-sharp see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
-sharp and HTTP so it could be quite easy to trigger, especially with a lot of
-sharp closed connections in TIME_WAIT. However, for a server that is prone to DOS
-sharp attacks this may be very useful. A reasonable setting for this option might
-sharp be around 300.
-sharp
-sharp To disable this feature, set this to 0
CT_LIMIT = "1500"

-sharp Connection Tracking interval. Set this to the the number of seconds between
-sharp connection tracking scans
CT_INTERVAL = "30"

-sharp Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = "1"

-sharp If you want to make IP blocks permanent then set this to 1, otherwise blocks
-sharp will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = "0"

-sharp If you opt for temporary IP blocks for CT, then the following is the interval
-sharp in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = "1800"

-sharp If you don't want to count the TIME_WAIT state against the connection count
-sharp then set the following to "1"
CT_SKIP_TIME_WAIT = "0"

-sharp If you only want to count specific states (e.g. SYN_RECV) then add the states
-sharp to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
-sharp
-sharp Leave this option empty to count all states against CT_LIMIT
CT_STATES = ""

-sharp If you only want to count specific ports (e.g. 80,443) then add the ports
-sharp to the following as a comma separated list. E.g. "80,443"
-sharp
-sharp Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = ""

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Process Tracking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Process Tracking. This option enables tracking of user and nobody processes
-sharp and examines them for suspicious executables or open network ports. Its
-sharp purpose is to identify potential exploit processes that are running on the
-sharp server, even if they are obfuscated to appear as system services. If a
-sharp suspicious process is found an alert email is sent with relevant information.
-sharp It is then the responsibility of the recipient to investigate the process
-sharp further as the script takes no further action
-sharp
-sharp The following is the number of seconds a process has to be active before it
-sharp is inspected. If you set this time too low, then you will likely trigger
-sharp false-positives with CGI or PHP scripts.
-sharp Set the value to 0 to disable this feature
PT_LIMIT = "60"

-sharp How frequently processes are checked in seconds
PT_INTERVAL = "60"

-sharp If you want process tracking to highlight php or perl scripts that are run
-sharp through apache then disable the following,
-sharp i.e. set it to 0
-sharp
-sharp While enabling this setting will reduce false-positives, having it set to 0
-sharp does provide better checking for exploits running on the server
PT_SKIP_HTTP = "0"

-sharp lfd will report processes, even if they're listed in csf.pignore, if they're
-sharp tagged as (deleted) by Linux. This information is provided in Linux under
-sharp /proc/PID/exe. A (deleted) process is one that is running a binary that has
-sharp the inode for the file removed from the file system directory. This usually
-sharp happens when the binary has been replaced due to an upgrade for it by the OS
-sharp vendor or another third party (e.g. cPanel). You need to investigate whether
-sharp this is indeed the case to be sure that the original binary has not been
-sharp replaced by a rootkit or is running an exploit.
-sharp
-sharp Note: If a deleted executable process is detected and reported then lfd will
-sharp not report children of the parent (or the parent itself if a child triggered
-sharp the report) if the parent is also a deleted executable process
-sharp
-sharp To stop lfd reporting such process you need to restart the daemon to which it
-sharp belongs and therefore run the process using the replacement binary (presuming
-sharp one exists). This will normally mean running the associated startup script in
-sharp /etc/init.d/
-sharp
-sharp If you do want lfd to report deleted binary processes, set to 1
PT_DELETED = "0"

-sharp If a PT_DELETED event is triggered, then if the following contains the path to
-sharp a script, it will be run in a child process and passed the executable, pid,
-sharp account for the process, and parent pid
-sharp
-sharp The action script must have the execute bit and interpreter (shebang) set. An
-sharp example is provided in /usr/local/csf/bin/pt_deleted_action.pl
-sharp
-sharp WARNING: Make sure you read and understand the potential security
-sharp implications of such processes in PT_DELETED above before simply restarting
-sharp such processes with a script
PT_DELETED_ACTION = ""

-sharp User Process Tracking. This option enables the tracking of the number of
-sharp process any given account is running at one time. If the number of processes
-sharp exceeds the value of the following setting an email alert is sent with
-sharp details of those processes. If you specify a user in csf.pignore it will be
-sharp ignored
-sharp
-sharp Set to 0 to disable this feature
PT_USERPROC = "10"

-sharp This User Process Tracking option sends an alert if any user process exceeds
-sharp the virtual memory usage set (MB). To ignore specific processes or users use
-sharp csf.pignore
-sharp
-sharp Set to 0 to disable this feature
PT_USERMEM = "512"

-sharp This User Process Tracking option sends an alert if any user process exceeds
-sharp the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific
-sharp processes or users use csf.pignore
-sharp
-sharp Set to 0 to disable this feature
PT_USERRSS = "256"

-sharp This User Process Tracking option sends an alert if any linux user process
-sharp exceeds the time usage set (seconds). To ignore specific processes or users
-sharp use csf.pignore
-sharp
-sharp Set to 0 to disable this feature
PT_USERTIME = "1800"

-sharp If this option is set then processes detected by PT_USERMEM, PT_USERTIME or
-sharp PT_USERPROC are killed
-sharp
-sharp Warning: We don't recommend enabling this option unless absolutely necessary
-sharp as it can cause unexpected problems when processes are suddenly terminated.
-sharp It can also lead to system processes being terminated which could cause
-sharp stability issues. It is much better to leave this option disabled and to
-sharp investigate each case as it is reported when the triggers above are breached
-sharp
-sharp Note: Processes that are running deleted excecutables (see PT_DELETED) will
-sharp not be killed by lfd
PT_USERKILL = "0"

-sharp If you want to disable email alerts if PT_USERKILL is triggered, then set
-sharp this option to 0
PT_USERKILL_ALERT = "1"

-sharp If a PT_* event is triggered, then if the following contains the path to
-sharp a script, it will be run in a child process and passed the PID(s) of the
-sharp process(es) in a comma separated list.
-sharp
-sharp The action script must have the execute bit and interpreter (shebang) set
PT_USER_ACTION = ""

-sharp Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and
-sharp defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the
-sharp load average is greater than or equal to PT_LOAD_LEVEL then an email alert is
-sharp sent. lfd then does not report subsequent high load until PT_LOAD_SKIP
-sharp seconds has passed to prevent email floods.
-sharp
-sharp Set PT_LOAD to "0" to disable this feature
PT_LOAD = "30"
PT_LOAD_AVG = "5"
PT_LOAD_LEVEL = "6"
PT_LOAD_SKIP = "3600"

-sharp This is the Apache Server Status URL used in the email alert. Requires the
-sharp Apache mod_status module to be installed and configured correctly
PT_APACHESTATUS = "http://127.0.0.1/server-status"

-sharp If a PT_LOAD event is triggered, then if the following contains the path to
-sharp a script, it will be run in a child process. For example, the script could
-sharp contain commands to terminate and restart httpd, php, exim, etc incase of
-sharp looping processes. The action script must have the execute bit an 
-sharp interpreter (shebang) set
PT_LOAD_ACTION = ""

-sharp Fork Bomb Protection. This option checks the number of processes with the
-sharp same session id and if greater than the value set, the whole session tree is
-sharp terminated and an alert sent
-sharp
-sharp You can see an example of common session id processes on most Linux systems
-sharp using: "ps axf -O sid"
-sharp
-sharp On cPanel servers, PT_ALL_USERS should be enabled to use this option
-sharp effectively
-sharp
-sharp This option will check root owned processes. Session id 0 and 1 will always
-sharp be ignored as they represent kernel and init processes. csf.pignore will be
-sharp honoured, but bear in mind that a session tree can contain a variety of users
-sharp and executables
-sharp
-sharp Care needs to be taken to ensure that this option only detects runaway fork
-sharp bombs, so should be set higher than any session tree is likely to get (e.g.
-sharp httpd could have 100s of legitimate children on very busy systems). A
-sharp sensible starting point on most servers might be 250
PT_FORKBOMB = "0"

-sharp Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes
-sharp are often left hanging after their connecting IP addresses have been blocked
-sharp
-sharp This option will terminate the SSH processes created by the blocked IP. This
-sharp option is preferred over PT_SSHDHUNG
PT_SSHDKILL = "0"

-sharp This option will terminate all processes with the cmdline of "sshd: unknown
-sharp [net]" or "sshd: unknown [priv]" if they have been running for more than 60
-sharp seconds
PT_SSHDHUNG = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Port Scan Tracking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Port Scan Tracking. This feature tracks port blocks logged by iptables to
-sharp syslog. If an IP address generates a port block that is logged more than
-sharp PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.
-sharp
-sharp This feature could, for example, be useful for blocking hackers attempting
-sharp to access the standard SSH port if you have moved it to a port other than 22
-sharp and have removed 22 from the TCP_IN list so that connection attempts to the
-sharp old port are being logged
-sharp
-sharp This feature blocks all iptables blocks from the iptables logs, including
-sharp repeated attempts to one port or SYN flood blocks, etc
-sharp
-sharp Note: This feature will only track iptables blocks from the log file set in
-sharp IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will
-sharp cause redundant blocking with DROP_IP_LOGGING enabled
-sharp
-sharp Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)
-sharp could very quickly fill the iptables rule chains and cause a DOS in itself.
-sharp The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks
-sharp and the DENY_TEMP_IP_LIMIT with temporary blocks
-sharp
-sharp Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300
-sharp would be sensible to enable this feature
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
PS_INTERVAL = "0"
PS_LIMIT = "10"

-sharp You can specify the ports and/or port ranges that should be tracked by the
-sharp Port Scan Tracking feature. The following setting is a comma separated list
-sharp of those ports and uses the same format as TCP_IN. The setting of
-sharp 0:65535,ICMP,INVALID,OPEN,BRD covers all ports
-sharp
-sharp Special values are:
-sharp   ICMP    - include ICMP blocks (see ICMP_*)
-sharp   INVALID - include INVALID blocks (see PACKET_FILTER)
-sharp   OPEN    - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*
-sharp   BRD     - include UDP Broadcast IPs, otherwise they are ignored
PS_PORTS = "0:65535,ICMP"

-sharp To specify how many different ports qualifies as a Port Scan you can increase
-sharp the following from the default value of 1. The risk in doing so will mean
-sharp that persistent attempts to attack a specific closed port will not be
-sharp detected and blocked
PS_DIVERSITY = "1"

-sharp You can select whether IP blocks for Port Scan Tracking should be temporary
-sharp or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent
-sharp blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to
-sharp temporarily block the IP address for
PS_PERMANENT = "0"
PS_BLOCK_TIME = "3600"

-sharp Set the following to "1" to enable Port Scan Tracking email alerts, set to
-sharp "0" to disable them
PS_EMAIL_ALERT = "1"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:User ID Tracking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp User ID Tracking. This feature tracks UID blocks logged by iptables to
-sharp syslog. If a UID generates a port block that is logged more than UID_LIMIT
-sharp times within UID_INTERVAL seconds, an alert will be sent
-sharp
-sharp Note: This feature will only track iptables blocks from the log file set in
-sharp IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.
-sharp
-sharp To ignore specific UIDs list them in csf.uidignore and then restart lfd
-sharp
-sharp Set UID_INTERVAL to "0" to disable this feature. A value of between 60 and 300
-sharp would be sensible to enable this feature
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
UID_INTERVAL = "0"
UID_LIMIT = "10"

-sharp You can specify the ports and/or port ranges that should be tracked by the
-sharp User ID Tracking feature. The following setting is a comma separated list
-sharp of those ports and uses the same format as TCP_OUT. The default setting of
-sharp 0:65535,ICMP covers all ports
UID_PORTS = "0:65535,ICMP"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Account Tracking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Account Tracking. The following options enable the tracking of modifications
-sharp to the accounts on a server. If any of the enabled options are triggered by
-sharp a modifications to an account, an alert email is sent. Only the modification
-sharp is reported. The cause of the modification will have to be investigated
-sharp manually
-sharp
-sharp You can set AT_ALERT to the following:
-sharp 0 = disable this feature
-sharp 1 = enable this feature for all accounts
-sharp 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)
-sharp 3 = enable this feature only for the root account
AT_ALERT = "2"

-sharp This options is the interval between checks in seconds
AT_INTERVAL = "60"

-sharp Send alert if a new account is created
AT_NEW = "1"

-sharp Send alert if an existing account is deleted
AT_OLD = "1"

-sharp Send alert if an account password has changed
AT_PASSWD = "1"

-sharp Send alert if an account uid has changed
AT_UID = "1"

-sharp Send alert if an account gid has changed
AT_GID = "1"

-sharp Send alert if an account login directory has changed
AT_DIR = "1"

-sharp Send alert if an account login shell has changed
AT_SHELL = "1"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Integrated User Interface
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Integrated User Interface. This feature provides a HTML UI to csf and lfd,
-sharp without requiring a control panel or web server. The UI runs as a sub process
-sharp to the lfd daemon
-sharp
-sharp As it runs under the root account and successful login provides root access
-sharp to the server, great care should be taken when configuring and using this
-sharp feature. There are additional restrictions to enhance secure access to the UI
-sharp
-sharp See readme.txt for more information about using this feature BEFORE enabling
-sharp it for security and access reasons
-sharp 
-sharp 1 to enable, 0 to disable
UI = "0"

-sharp Set this to the port that want to bind this service to. You should configure
-sharp this port to be >1023 and different from any other port already being used
-sharp
-sharp Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
-sharp to the port using Advanced Allow Filters (see readme.txt)
UI_PORT = "6666"

-sharp Optionally set the IP address to bind to. Normally this should be left blank
-sharp to bind to all IP addresses on the server.
-sharp
-sharp If the server is configured for IPv6 but the IP to bind to is IPv4, then the
-sharp IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
-sharp ::ffff:1.2.3.4
-sharp
-sharp Leave blank to bind to all IP addresses on the server
UI_IP = ""

-sharp This should be a secure, hard to guess username
-sharp 
-sharp This must be changed from the default
UI_USER = "username"

-sharp This should be a secure, hard to guess password. That is, at least 8
-sharp characters long with a mixture of upper and lowercase characters plus 
-sharp numbers and non-alphanumeric characters
-sharp
-sharp This must be changed from the default
UI_PASS = "password"

-sharp This is the login session timeout. If there is no activity for a logged in
-sharp session within this number of seconds, the session will timeout and a new
-sharp login will be required
-sharp
-sharp For security reasons, you should always keep this option low (i.e 60-300)
UI_TIMEOUT = "300"

-sharp This is the maximum concurrent connections allowed to the server. The default
-sharp value should be sufficient
UI_CHILDREN = "5"

-sharp The number of login retries allowed within a 24 hour period. A successful
-sharp login from the IP address will clear the failures
-sharp
-sharp For security reasons, you should always keep this option low (i.e 0-10)
UI_RETRY = "5"

-sharp If enabled, this option will add the connecting IP address to the file 
-sharp /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be
-sharp able to login to the UI while it is listed in this file. The UI_BAN setting
-sharp does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,
-sharp csf.ignore, etc.
-sharp
-sharp For security reasons, you should always enable this option
UI_BAN = "1"

-sharp If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will
-sharp be allowed to login to the UI. The UI_ALLOW setting does not refer to any of
-sharp the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.
-sharp
-sharp For security reasons, you should always enable this option and use ui.allow
UI_ALLOW = "1"

-sharp If enabled, this option will trigger an iptables block through csf after
-sharp UI_RETRY login failures
-sharp
-sharp 0 = no block;1 = perm block;nn=temp block for nn secs
UI_BLOCK = "1"

-sharp This controls what email alerts are sent with regards to logins to the UI. It
-sharp uses the uialert.txt template
-sharp
-sharp 4 = login success + login failure/ban/block + login attempts
-sharp 3 = login success + login failure/ban/block
-sharp 2 = login failure/ban/block
-sharp 1 = login ban/block
-sharp 0 = disabled
UI_ALERT = "4"

-sharp This is the SSL cipher list that the Integrated UI will negotiate from
UI_CIPHER = "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH"

-sharp This is the SSL protocol version used. See IO::Socket::SSL if you wish to
-sharp change this and to understand the implications of changing it
UI_SSL_VERSION = "SSLv23:!SSLv3:!SSLv2"

-sharp If cxs is installed then enabling this option will provide a dropdown box to
-sharp switch between applications
UI_CXS = "0"

-sharp There is a modified installation of ConfigServer Explorer (cse) provided with
-sharp the csf distribution. If this option is enabled it will provide a dropdown
-sharp box to switch between applications
UI_CSE = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Messenger service
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Messenger service. This feature allows the display of a message to a blocked
-sharp connecting IP address to inform the user that they are blocked in the
-sharp firewall. This can help when users get themselves blocked, e.g. due to
-sharp multiple login failures. The service is provided by two daemons running on
-sharp ports providing either an HTML or TEXT message.
-sharp
-sharp This feature does not work on servers that do not have the iptables module
-sharp ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS
-sharp server admins should check with their VPS host provider that the iptables
-sharp module is included.
-sharp
-sharp For further information on features and limitations refer to the csf
-sharp readme.txt
-sharp
-sharp Note: Run /etc/csf/csftest.pl to check whether this option will function on
-sharp this server
-sharp
-sharp 1 to enable, 0 to disable
MESSENGER = "0"

-sharp Provide this service to temporary IP address blocks
MESSENGER_TEMP = "1"

-sharp Provide this service to permanent IP address blocks
MESSENGER_PERM = "1"

-sharp User account to run the service servers under. We recommend creating a
-sharp specific non-priv, non-shell account for this purpose
MESSENGER_USER = "csf"

-sharp This is the maximum concurrent connections allowed to each service server
MESSENGER_CHILDREN = "10"

-sharp Set this to the port that will receive the HTTPS HTML message. You should
-sharp configure this port to be >1023 and different from the TEXT and HTML port. Do
-sharp NOT enable access to this port in TCP_IN. This option requires the perl
-sharp module IO::Socket::SSL at a version level that supports SNI (1.83+).
-sharp Additionally the version of openssl on the server must also support SNI
-sharp
-sharp The option uses existing SSL certificates on the server for each domain to
-sharp maintain a secure connection without browser warnings. It uses SNI to choose
-sharp the correct certificate to use for each client connection
-sharp
-sharp Warning: On some servers the amount of memory used by the HTTPS MESSENGER
-sharp service can become significant depending on various factors associated with
-sharp the use of IO::Socket::SSL including the number of domains and certificates
-sharp served
MESSENGER_HTTPS = "8887"

-sharp This comma separated list are the HTTPS HTML ports that will be redirected
-sharp for the blocked IP address. If you are using per application blocking
-sharp (LF_TRIGGER) then only the relevant block port will be redirected to the
-sharp messenger port
-sharp
-sharp Recommended setting "443" plus any end-user control panel SSL ports
MESSENGER_HTTPS_IN = ""

-sharp This option points to the file(s) containing the Apache VirtualHost SSL
-sharp definitions. This can be a file glob if there are multiple files to search.
-sharp Only Apache v2 SSL VirtualHost definitions are supported
MESSENGER_HTTPS_CONF = "/etc/httpd/conf.d/ssl.conf"

-sharp The following options can be specified to provide a default fallback
-sharp certificate to be used if either SNI is not supported or a hosted domain does
-sharp not have an SSL certificate. If a fallback is not provided, one of the certs
-sharp obtained from MESSENGER_HTTPS_CONF will be used
MESSENGER_HTTPS_KEY = "/etc/pki/tls/private/localhost.key"
MESSENGER_HTTPS_CRT = "/etc/pki/tls/certs/localhost.crt"

-sharp Set this to the port that will receive the HTML message. You should configure
-sharp this port to be >1023 and different from the TEXT port. Do NOT enable access
-sharp to this port in TCP_IN
MESSENGER_HTML = "8888"

-sharp This comma separated list are the HTML ports that will be redirected for the
-sharp blocked IP address. If you are using per application blocking (LF_TRIGGER)
-sharp then only the relevant block port will be redirected to the messenger port
MESSENGER_HTML_IN = "80,2082,2095"

-sharp Set this to the port that will receive the TEXT message. You should configure
-sharp this port to be >1023 and different from the HTML port. Do NOT enable access
-sharp to this port in TCP_IN
MESSENGER_TEXT = "8889"

-sharp This comma separated list are the TEXT ports that will be redirected for the
-sharp blocked IP address. If you are using per application blocking (LF_TRIGGER)
-sharp then only the relevant block port will be redirected to the messenger port
MESSENGER_TEXT_IN = "21"

-sharp These settings limit the rate at which connections can be made to the
-sharp messenger service servers. Its intention is to provide protection from
-sharp attacks or excessive connections to the servers. If the rate is exceeded then
-sharp iptables will revert for the duration to the normal blocking actiity
-sharp
-sharp See the iptables man page for the correct --limit rate syntax
MESSENGER_RATE = "100/s"
MESSENGER_BURST = "150"

-sharp The RECAPTCHA options provide a way for end-users that have blocked
-sharp themselves in the firewall to unblock themselves.
-sharp
-sharp A valid Google ReCAPTCHA (v2) is required for this feature from:
-sharp https://www.google.com/recaptcha/intro/index.html
-sharp
-sharp When configuring a new reCAPTCHA API key set, you must ensure that the option
-sharp for "Domain Name Validation" is unticked so that the same reCAPTCHA can be
-sharp used for all domains hosted on the server. lfd then checks that the hostname
-sharp of the request resolves to an IP on this server.
-sharp
-sharp This feature requires the installation of the LWP::UserAgent perl module (see
-sharp option URLGET for more details).
-sharp
-sharp The template used for this feature is /etc/csf/messenger/index.recaptcha.html
-sharp
-sharp Note: An unblock will fail if the end-users IP is located in a netblock,
-sharp blocklist or CC_* deny entry
RECAPTCHA_SITEKEY = ""
RECAPTCHA_SECRET = ""

-sharp Send an email when an IP address successfully attempts to unblock themselves.
-sharp This does not necessarily mean the IP was unblocked, only that the
-sharp post-recaptcha unblock request was attempted
-sharp
-sharp Set to "0" to disable
RECAPTCHA_ALERT = "1"

-sharp If the server uses NAT then resolving the hostname to hosted IPs will likely
-sharp not succeed. In that case, the external IP addresses must be listed as comma
-sharp separated comma separated list here
RECAPTCHA_NAT = ""

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:lfd Clustering
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp lfd Clustering. This allows the configuration of an lfd cluster environment
-sharp where a group of servers can share blocks and configuration option changes.
-sharp Included are CLI and UI options to send requests to the cluster.
-sharp
-sharp See the readme.txt file for more information and details on setup and
-sharp security risks.
-sharp
-sharp Comma separated list of cluster member IP addresses to send requests to
CLUSTER_SENDTO = ""

-sharp Comma separated list of cluster member IP addresses to receive requests from
CLUSTER_RECVFROM = ""

-sharp IP address of the master node in the cluster allowed to send CLUSTER_CONFIG
-sharp changes
CLUSTER_MASTER = ""

-sharp If this is a NAT server, set this to the public IP address of this server
CLUSTER_NAT = ""

-sharp If a cluster member should send requests on an IP other than the default IP,
-sharp set it here
CLUSTER_LOCALADDR = ""

-sharp Cluster communication port (must be the same on all member servers). There
-sharp is no need to open this port in the firewall as csf will automatically add
-sharp in and out bound rules to allow communication between cluster members
CLUSTER_PORT = "7777"

-sharp This is a secret key used to encrypt cluster communications using the
-sharp Blowfish algorithm. It should be between 8 and 56 characters long,
-sharp preferably > 20 random characters
-sharp 56 chars:    01234567890123456789012345678901234567890123456789012345
CLUSTER_KEY = ""

-sharp Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those
-sharp servers must have this servers IP address listed in their CLUSTER_RECVFROM
-sharp
-sharp Set to 0 to disable this feature
CLUSTER_BLOCK = "1"

-sharp This option allows the enabling and disabling of the Cluster configuration
-sharp changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the
-sharp CLUSTER_MASTER server
-sharp
-sharp Set this option to 1 to allow Cluster configurations to be received
CLUSTER_CONFIG = "0"

-sharp Maximum number of child processes to listen on. High blocking rates or large
-sharp clusters may need to increase this
CLUSTER_CHILDREN = "10"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Port Knocking
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Port Knocking. This feature allows port knocking to be enabled on multiple
-sharp ports with a variable number of knocked ports and a timeout. There must be a
-sharp minimum of 3 ports to knock for an entry to be valid
-sharp
-sharp See the following for information regarding Port Knocking:
-sharp http://www.portknocking.org/
-sharp
-sharp This feature does not work on servers that do not have the iptables module
-sharp ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
-sharp server admins should check with their VPS host provider that the iptables
-sharp module is included
-sharp
-sharp For further information and syntax refer to the Port Knocking section of the
-sharp csf readme.txt
-sharp
-sharp Note: Run /etc/csf/csftest.pl to check whether this option will function on
-sharp this server
-sharp
-sharp openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...
-sharp e.g.: 22;TCP;20;100;200;300;400
PORTKNOCKING = ""

-sharp Enable PORTKNOCKING logging by iptables
PORTKNOCKING_LOG = "1"

-sharp Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must
-sharp also be enabled to use this option
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
PORTKNOCKING_ALERT = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Log Scanner
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Log Scanner. This feature will send out an email summary of the log lines of
-sharp each log listed in /etc/csf/csf.logfiles. All lines will be reported unless
-sharp they match a regular expression in /etc/csf/csf.logignore
-sharp
-sharp File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,
-sharp be aware that the more files lfd has to track, the greater the performance
-sharp hit. Note: File globs are only evaluated when lfd is started
-sharp
-sharp Note: lfd builds the report continuously from lines logged after lfd has
-sharp started, so any lines logged when lfd is not running will not be reported
-sharp (e.g. during reboot). If lfd is restarted, then the report will include any
-sharp lines logged during the previous lfd logging period that weren't reported
-sharp
-sharp 1 to enable, 0 to disable
LOGSCANNER = "0"

-sharp This is the interval each report will be sent based on the logalert.txt
-sharp template
-sharp
-sharp The interval can be set to:
-sharp "hourly" - sent on the hour
-sharp "daily"  - sent at midnight (00:00)
-sharp "manual" - sent whenever "csf --logrun" is run. This allows for scheduling
-sharp            via cron job
LOGSCANNER_INTERVAL = "hourly"

-sharp Report Style
-sharp 1 = Separate chronological log lines per log file
-sharp 2 = Simply chronological log of all lines
LOGSCANNER_STYLE = "1"

-sharp Send the report email even if no log lines reported
-sharp 1 to enable, 0 to disable
LOGSCANNER_EMPTY = "1"

-sharp Maximum number of lines in the report before it is truncated. This is to
-sharp prevent log lines flooding resulting in an excessively large report. This
-sharp might need to be increased if you choose a daily report
LOGSCANNER_LINES = "5000"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Statistics Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Statistics
-sharp
-sharp Some of the Statistics output requires the gd graphics library and the
-sharp GD::Graph perl module with all dependent modules to be installed for the UI
-sharp for them to be displayed
-sharp
-sharp This option enabled statistical data gathering
ST_ENABLE = "1"

-sharp This option determines how many iptables log lines to store for reports
ST_IPTABLES = "100"

-sharp This option indicates whether rDNS and CC lookups are performed at the time
-sharp the log line is recorded (this is not performed when viewing the reports)
-sharp
-sharp Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,
-sharp then enabling this setting could cause serious performance problems
ST_LOOKUP = "0"

-sharp This option will gather basic system statstics. Through the UI it displays
-sharp various graphs for disk, cpu, memory, network, etc usage over 4 intervals:
-sharp  . Hourly (per minute)
-sharp  . 24 hours (per minute)
-sharp  . 7 days (per minute averaged over an hour)
-sharp  . 30 days (per minute averaged over an hour) - user definable
-sharp The data is stored in /var/lib/csf/stats/system and the option requires the
-sharp perl GD::Graph module
-sharp
-sharp Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on
-sharp those systems do not store the required information in /proc/diskstats
-sharp On new installations or when enabling this option it will take time for these
-sharp graphs to be populated
ST_SYSTEM = "0"

-sharp Set the maximum days to collect statistics for. The default is 30 days, the
-sharp more data that is collected the longer it will take for each of the graphs to
-sharp be generated
ST_SYSTEM_MAXDAYS = "30"

-sharp If ST_SYSTEM is enabled, then these options can collect MySQL statistical
-sharp data. To use this option the server must have the perl modules DBI and
-sharp DBD::mysql installed.
-sharp
-sharp Set this option to "0" to disable MySQL data collection
ST_MYSQL = "0"

-sharp The following options are for authentication for MySQL data collection. If
-sharp the password is left blank and the user set to "root" then the procedure will
-sharp look for authentication data in /root/.my.cnf. Otherwise, you will need to
-sharp provide a MySQL username and password to collect the data. Any MySQL user
-sharp account can be used
ST_MYSQL_USER = "root"
ST_MYSQL_PASS = ""
ST_MYSQL_HOST = "localhost"

-sharp If ST_SYSTEM is enabled, then this option can collect Apache statistical data
-sharp The value for PT_APACHESTATUS must be correctly set
ST_APACHE = "0"

-sharp The following options measure disk write performance using dd (location set
-sharp via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and
-sharp the statistics will plot the MB/s response time of the disk. As this is an IO
-sharp intensive operation, it may not be prudent to run this test too often, so by
-sharp default it is only run every 5 minutes and the result duplicated for each
-sharp intervening minute for the statistics
-sharp
-sharp This is not necessrily a good measure of disk performance, primarily because
-sharp the measurements are for relatively small amounts of data over a small amount
-sharp of time. To properly test disk performance there are a variety of tools
-sharp available that should be run for extended periods of time to obtain an
-sharp accurate measurement. This metric is provided to give an idea of how the disk
-sharp is performing over time
-sharp
-sharp Note: There is a 15 second timeout performing the check
-sharp
-sharp Set to 0 to disable, 1 to enable
ST_DISKW = "0"

-sharp The number of minutes that elapse between tests. Default is 5, minimum is 1.
ST_DISKW_FREQ = "5"

-sharp This is the command line passed to dd. If you are familiar with dd, or wish
-sharp to move the output file (of) to a different disk, then you can alter this
-sharp command. Take great care when making any changes to this command as it is
-sharp very easy to overwrite a disk using dd if you make a mistake
ST_DISKW_DD = "if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Docker Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp NOTE: This feature is currently in BETA testing, so may not work correctly
-sharp
-sharp This section provides the configuration of iptables rules to allow Docker
-sharp containers to communicate through the host. If the generated rules do not
-sharp work with your setup you will have to use a /etc/csf/csfpost.sh file and add
-sharp your own iptables configuration instead
-sharp
-sharp 1 to enable, 0 to disable
DOCKER = "0"

-sharp The network device on the host
DOCKER_DEVICE = "docker0"

-sharp Docker container IPv4 range
DOCKER_NETWORK4 = "172.17.0.0/16"

-sharp Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table
-sharp available (see IPv6 section). Leave blank to disable
DOCKER_NETWORK6 = "2001:db8:1::/64"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:OS Specific Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Binary locations
IPTABLES = "/sbin/iptables"
IPTABLES_SAVE = "/sbin/iptables-save"
IPTABLES_RESTORE = "/sbin/iptables-restore"
IP6TABLES = "/sbin/ip6tables"
IP6TABLES_SAVE = "/sbin/ip6tables-save"
IP6TABLES_RESTORE = "/sbin/ip6tables-restore"
MODPROBE = "/sbin/modprobe"
IFCONFIG = "/sbin/ifconfig"
SENDMAIL = "/usr/sbin/sendmail"
PS = "/bin/ps"
VMSTAT = "/usr/bin/vmstat"
NETSTAT = "/bin/netstat"
LS = "/bin/ls"
MD5SUM = "/usr/bin/md5sum"
TAR = "/bin/tar"
CHATTR = "/usr/bin/chattr"
UNZIP = "/usr/bin/unzip"
GUNZIP = "/bin/gunzip"
DD = "/bin/dd"
TAIL = "/usr/bin/tail"
GREP = "/bin/grep"
ZGREP = "/usr/bin/zgrep"
IPSET = "/usr/sbin/ipset"
SYSTEMCTL = "/usr/bin/systemctl"
HOST = "/usr/bin/host"
IP = "/sbin/ip"

-sharp Log file locations
-sharp
-sharp File globbing is allowed for the following logs. However, be aware that the
-sharp more files lfd has to track, the greater the performance hit
-sharp
-sharp Note: File globs are only evaluated when lfd is started
-sharp
HTACCESS_LOG = "/var/log/httpd/error_log"
MODSEC_LOG = "/var/log/httpd/error_log"
SSHD_LOG = "/var/log/secure"
SU_LOG = "/var/log/secure"
FTPD_LOG = "/var/log/messages"
SMTPAUTH_LOG = "/var/log/secure"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"
IPTABLES_LOG = "/var/log/messages"
SUHOSIN_LOG = "/var/log/messages"
BIND_LOG = "/var/log/messages"
SYSLOG_LOG = "/var/log/messages"
WEBMIN_LOG = "/var/log/secure"

CUSTOM1_LOG = "/var/log/customlog"
CUSTOM2_LOG = "/var/log/customlog"
CUSTOM3_LOG = "/var/log/customlog"
CUSTOM4_LOG = "/var/log/customlog"
CUSTOM5_LOG = "/var/log/customlog"
CUSTOM6_LOG = "/var/log/customlog"
CUSTOM7_LOG = "/var/log/customlog"
CUSTOM8_LOG = "/var/log/customlog"
CUSTOM9_LOG = "/var/log/customlog"

-sharp The following are comma separated lists used if LF_SELECT is enabled,
-sharp otherwise they are not used. They are derived from the application returned
-sharp from a regex match in /usr/local/csf/bin/regex.pm
-sharp
-sharp All ports default to tcp blocks. To specify udp or tcp use the format:
-sharp port;protocol,port;protocol,... For example, "53;udp,53;tcp"
PORTS_pop3d = "110,995"
PORTS_imapd = "143,993"
PORTS_htpasswd = "80,443"
PORTS_mod_security = "80,443"
PORTS_mod_qos = "80,443"
PORTS_symlink = "80,443"
PORTS_suhosin = "80,443"
PORTS_cxs = "80,443"
PORTS_bind = "53;udp,53;tcp"
PORTS_ftpd = "20,21"
PORTS_webmin = "10000"
PORTS_smtpauth = "25,465,587"
PORTS_eximsyntax = "25,465,587"
-sharp This list is replaced, if present, by "Port" definitions in
-sharp /etc/ssh/sshd_config
PORTS_sshd = "22"

-sharp This configuration is for use with generic Linux servers, do not change the
-sharp following setting:
GENERIC = "1"

-sharp For internal use only. You should not enable this option as it could cause
-sharp instability in csf and lfd
DEBUG = "0"
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp

add the remaining configuration files