After the site refreshes the ip (web page), it will appear about 403 forbidden,10 seconds from time to time, and the refresh can be accessed normally.

the site can be accessed normally. Nginx+php7, itself is testing the performance of the website and found that after refreshing ip (each web page), it will appear from time to time after 403 forbidden,10 seconds (about), and the page can be accessed normally again. I have installed the csf firewall. I wonder if the rules of the csf firewall are misconfigured. Please have a look, where should I modify it?

the content of the ps: configuration file exceeds the sf limit. Post the previous part 

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Initial Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Testing flag - enables a CRON job that clears iptables incase of
-sharp configuration problems when you start csf. This should be enabled until you
-sharp are sure that the firewall works - i.e. incase you get locked out of your
-sharp server! Then do remember to set it to 0 and restart csf when you"re sure
-sharp everything is OK. Stopping csf will remove the line from /etc/crontab
-sharp
-sharp lfd will not start while this is enabled
TESTING = "0"

-sharp The interval for the crontab in minutes. Since this uses the system clock the
-sharp CRON job will run at the interval past the hour and not from when you issue
-sharp the start command. Therefore an interval of 5 minutes means the firewall
-sharp will be cleared in 0-5 minutes from the firewall start
TESTING_INTERVAL = "5"

-sharp SECURITY WARNING
-sharp ================
-sharp
-sharp Unfortunately, syslog and rsyslog allow end-users to log messages to some
-sharp system logs via the same unix socket that other local services use. This 
-sharp means that any log line shown in these system logs that syslog or rsyslog
-sharp maintain can be spoofed (they are exactly the same as real log lines).
-sharp
-sharp Since some of the features of lfd rely on such log lines, spoofed messages
-sharp can cause false-positive matches which can lead to confusion at best, or
-sharp blocking of any innocent IP address or making the server inaccessible at
-sharp worst.
-sharp
-sharp Any option that relies on the log entries in the files listed in
-sharp /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
-sharp vulnerable to exploitation by end-users and scripts run by end-users.
-sharp
-sharp NOTE: Not all log files are affected as they may not use syslog/rsyslog
-sharp
-sharp The option RESTRICT_SYSLOG disables all these features that rely on affected
-sharp logs. These options are:
-sharp LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
-sharp LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
-sharp LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
-sharp PORTKNOCKING_ALERT
-sharp
-sharp This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
-sharp ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
-sharp
-sharp The following options are still enabled by default on new installations so
-sharp that, on balance, csf/lfd still provides expected levels of security:
-sharp LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
-sharp
-sharp If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
-sharp above, it should be done with the knowledge that any of the those options
-sharp that are enabled could be triggered by spoofed log lines and lead to the
-sharp server being inaccessible in the worst case. If you do not want to take that
-sharp risk you should set RESTRICT_SYSLOG to "1" and those features will not work
-sharp but you will not be protected from the exploits that they normally help block
-sharp
-sharp The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access
-sharp the syslog/rsyslog unix socket.
-sharp
-sharp For further advice on how to help mitigate these issues, see
-sharp /etc/csf/readme.txt
-sharp
-sharp 0 = Allow those options listed above to be used and configured
-sharp 1 = Disable all the options listed above and prevent them from being used
-sharp 2 = Disable only alerts about this feature and do nothing else
-sharp 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
RESTRICT_SYSLOG = "0"

-sharp The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
-sharp write access to the syslog/rsyslog unix socket(s). The group must not already
-sharp exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
-sharp to a unique name for the server
-sharp
-sharp You can add users to this group by changing /etc/csf/csf.syslogusers and then
-sharp restarting lfd afterwards. This will create the system group and add the
-sharp users from csf.syslogusers if they exist to that group and will change the
-sharp permissions on the syslog/rsyslog unix socket(s). The socket(s) will be
-sharp monitored and the permissions re-applied should syslog/rsyslog be restarted
-sharp
-sharp Using this option will prevent some legitimate logging, e.g. end-user cron
-sharp job logs
-sharp
-sharp If you want to revert RESTRICT_SYSLOG to another option and disable this
-sharp feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then
-sharp syslog/rsyslog and the unix sockets will be reset
RESTRICT_SYSLOG_GROUP = "mysyslog"

-sharp This options restricts the ability to modify settings within this file from
-sharp the csf UI. Should the parent control panel be compromised, these restricted
-sharp options could be used to further compromise the server. For this reason we
-sharp recommend leaving this option set to at least "1" and if any of the
-sharp restricted items need to be changed, they are done so from the root shell
-sharp
-sharp 0 = Unrestricted UI
-sharp 1 = Restricted UI
-sharp 2 = Disabled UI
RESTRICT_UI = "1"

-sharp Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
-sharp runs once per day to see if there is an update to csf+lfd and upgrades if
-sharp available and restarts csf and lfd
-sharp
-sharp You should check for new version announcements at http://blog.configserver.com
AUTO_UPDATES = "1"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:IPv4 Port Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Lists of ports in the following comma separated lists can be added using a
-sharp colon (e.g. 30000:35000).

-sharp Some kernel/iptables setups do not perform stateful connection tracking
-sharp correctly (typically some virtual servers or custom compiled kernels), so a
-sharp SPI firewall will not function correctly. If this happens, LF_SPI can be set
-sharp to 0 to reconfigure csf as a static firewall.
-sharp
-sharp As connection tracking will not be configured, applications that rely on it
-sharp will not function unless all outgoing ports are opened. Therefore, all
-sharp outgoing connections will be allowed once all other tests have completed. So
-sharp TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
-sharp
-sharp If you allow incoming DNS lookups you may need to use the following
-sharp directive in the options{} section of your named.conf:
-sharp
-sharp        query-source port 53;
-sharp
-sharp This will force incoming DNS traffic only through port 53
-sharp
-sharp Disabling this option will break firewall functionality that relies on
-sharp stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall
-sharp less secure
-sharp
-sharp This option should be set to "1" in all other circumstances
LF_SPI = "1"

-sharp Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,3306"

-sharp Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,3306"

-sharp Allow incoming UDP ports
UDP_IN = "20,21,53"

-sharp Allow outgoing UDP ports
-sharp To allow outgoing traceroute add 33434:33523 to this list 
UDP_OUT = "20,21,53,113,123"

-sharp Allow incoming PING. Disabling PING will likely break external uptime
-sharp monitoring
ICMP_IN = "1"

-sharp Set the per IP address incoming ICMP packet rate for PING requests. This
-sharp ratelimits PING requests which if exceeded results in silently rejected
-sharp packets. Disable or increase this value if you are seeing PING drops that you
-sharp do not want
-sharp
-sharp To disable rate limiting set to "0", otherwise set according to the iptables
-sharp documentation for the limit module. For example, "1/s" will limit to one
-sharp packet per second
ICMP_IN_RATE = "1/s"

-sharp Allow outgoing PING
-sharp
-sharp Unless there is a specific reason, this option should NOT be disabled as it
-sharp could break OS functionality
ICMP_OUT = "1"

-sharp Set the per IP address outgoing ICMP packet rate for PING requests. This
-sharp ratelimits PING requests which if exceeded results in silently rejected
-sharp packets. Disable or increase this value if you are seeing PING drops that you
-sharp do not want
-sharp
-sharp Unless there is a specific reason, this option should NOT be enabled as it
-sharp could break OS functionality
-sharp
-sharp To disable rate limiting set to "0", otherwise set according to the iptables
-sharp documentation for the limit module. For example, "1/s" will limit to one
-sharp packet per second
ICMP_OUT_RATE = "0"

-sharp For those with PCI Compliance tools that state that ICMP timestamps (type 13)
-sharp should be dropped, you can enable the following option. Otherwise, there
-sharp appears to be little evidence that it has anything to do with a security risk
-sharp and can impact network performance, so should be left disabled by everyone
-sharp else
ICMP_TIMESTAMPDROP = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:IPv6 Port Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp IPv6: (Requires ip6tables)
-sharp
-sharp Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
-sharp firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
-sharp
-sharp Supported:
-sharp Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
-sharp PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, 
-sharp SYNFLOOD, LF_NETBLOCK
-sharp
-sharp Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled
-sharp CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,
-sharp CC_ALLOW_SMTPAUTH
-sharp
-sharp Supported if ip6tables >= 1.4.3:
-sharp PORTFLOOD, CONNLIMIT
-sharp
-sharp Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is
-sharp installed:
-sharp MESSENGER DOCKER SMTP_REDIRECT
-sharp
-sharp Not supported:
-sharp ICMP_IN, ICMP_OUT
-sharp
IPV6 = "1"

-sharp IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
-sharp traffic in the INPUT and OUTPUT chains. However, this could increase the risk
-sharp of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
-sharp connection types
IPV6_ICMP_STRICT = "0"

-sharp Pre v2.6.20 kernel must set this option to "0" as no working state module is
-sharp present, so a static firewall is configured as a fallback
-sharp
-sharp A workaround has been added for CentOS/RedHat v5 and custom kernels that do
-sharp not support IPv6 connection tracking by opening ephemeral port range
-sharp 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
-sharp same workaround implemented by RedHat in the sample default IPv6 rules
-sharp
-sharp As connection tracking will not be configured, applications that rely on it
-sharp will not function unless all outgoing ports are opened. Therefore, all
-sharp outgoing connections will be allowed once all other tests have completed. So
-sharp TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.
-sharp
-sharp If you allow incoming ipv6 DNS lookups you may need to use the following
-sharp directive in the options{} section of your named.conf:
-sharp
-sharp        query-source-v6 port 53;
-sharp
-sharp This will force ipv6 incoming DNS traffic only through port 53
-sharp
-sharp These changes are not necessary if the SPI firewall is used
IPV6_SPI = "1"

-sharp Allow incoming IPv6 TCP ports
TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,3306"

-sharp Allow outgoing IPv6 TCP ports
TCP6_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,3306"

-sharp Allow incoming IPv6 UDP ports
UDP6_IN = "20,21,53"

-sharp Allow outgoing IPv6 UDP ports
-sharp To allow outgoing traceroute add 33434:33523 to this list 
UDP6_OUT = "20,21,53,113,123"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:General Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp By default, csf will auto-configure iptables to filter all traffic except on
-sharp the loopback device. If you only want iptables rules applied to a specific
-sharp NIC, then list it here (e.g. eth1, or eth+)
ETH_DEVICE = ""

-sharp By adding a device to this option, ip6tables can be configured only on the
-sharp specified device. Otherwise, ETH_DEVICE and then the default setting will be
-sharp used
ETH6_DEVICE = ""

-sharp If you don"t want iptables rules applied to specific NICs, then list them in
-sharp a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP = ""

-sharp This option should be enabled unless the kernel does not support the
-sharp "conntrack" module
-sharp
-sharp To use the deprecated iptables "state" module, change this to 0
USE_CONNTRACK = "1"

-sharp Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)
-sharp instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper
-sharp This will also remove the RELATED target from the global state iptables rule
-sharp
-sharp This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or
-sharp the raw tables do not exist. The USE_CONNTRACK option should be enabled
-sharp
-sharp To enable this option, set it to your FTP server listening port number
-sharp (normally 21), do NOT set it to "1"
USE_FTPHELPER = "0"

-sharp Check whether syslog is running. Many of the lfd checks require syslog to be
-sharp running correctly. This test will send a coded message to syslog every
-sharp SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded
-sharp message. If it fails to do so within SYSLOG_CHECK seconds an alert using
-sharp syslogalert.txt is sent
-sharp
-sharp A value of between 300 and 3600 seconds is suggested. Set to 0 to disable
SYSLOG_CHECK = "0"

-sharp Enable this option if you want lfd to ignore (i.e. don"t block) IP addresses
-sharp listed in csf.allow in addition to csf.ignore (the default). This option
-sharp should be used with caution as it would mean that IP"s allowed through the
-sharp firewall from infected PC"s could launch attacks on the server that lfd
-sharp would ignore
IGNORE_ALLOW = "1"

-sharp Enable the following option if you want to apply strict iptables rules to DNS
-sharp traffic (i.e. relying on iptables connection tracking). Enabling this option
-sharp could cause DNS resolution issues both to and from the server but could help
-sharp prevent abuse of the local DNS server
DNS_STRICT = "0"

-sharp Enable the following option if you want to apply strict iptables rules to DNS
-sharp traffic between the server and the nameservers listed in /etc/resolv.conf
-sharp Enabling this option could cause DNS resolution issues both to and from the
-sharp server but could help prevent abuse of the local DNS server
DNS_STRICT_NS = "0"

-sharp Limit the number of IP"s kept in the /etc/csf/csf.deny file
-sharp
-sharp Care should be taken when increasing this value on servers with low memory
-sharp resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
-sharp thousands) can sometimes cause network slowdown
-sharp
-sharp The value set here is the maximum number of IPs/CIDRs allowed
-sharp if the limit is reached, the entries will be rotated so that the oldest
-sharp entries (i.e. the ones at the top) will be removed and the latest is added.
-sharp The limit is only checked when using csf -d (which is what lfd also uses)
-sharp Set to 0 to disable limiting
-sharp
-sharp For implementations wishing to set this value significantly higher, we
-sharp recommend using the IPSET option
DENY_IP_LIMIT = "200"

-sharp Limit the number of IP"s kept in the temprary IP ban list. If the limit is
-sharp reached the oldest IP"s in the ban list will be removed and allowed
-sharp regardless of the amount of time remaining for the block
-sharp Set to 0 to disable limiting
DENY_TEMP_IP_LIMIT = "100"

-sharp Enable login failure detection daemon (lfd). If set to 0 none of the
-sharp following settings will have any effect as the daemon won"t start.
LF_DAEMON = "1"

-sharp Check whether csf appears to have been stopped and restart if necessary,
-sharp unless TESTING is enabled above. The check is done every 300 seconds
LF_CSF = "1"

-sharp This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
-sharp IP6TABLES_RESTORE in two ways:
-sharp
-sharp 1. On a clean server reboot the entire csf iptables configuration is saved
-sharp    and then restored where possible to provide a near instant firewall
-sharp    startup[*]
-sharp
-sharp 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
-sharp    BOGON, TOR are loaded using this method in a fraction of the time than if
-sharp    this setting is disabled
-sharp
-sharp [*]Not supported on all OS platforms
-sharp
-sharp Set to "0" to disable this functionality
FASTSTART = "1"

-sharp This option allows you to use ipset v6+ for the following csf options:
-sharp CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
-sharp GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER
-sharp
-sharp ipset will only be used with the above options when listing IPs and CIDRs.
-sharp Advanced Allow Filters and temporary blocks use traditional iptables
-sharp
-sharp Using ipset moves the onus of ip matching against large lists away from
-sharp iptables rules and to a purpose built and optimised database matching
-sharp utility. It also simplifies the switching in of updated lists
-sharp
-sharp To use this option you must have a fully functioning installation of ipset
-sharp installed either via rpm or source from http://ipset.netfilter.org/
-sharp 
-sharp Note: Using ipset has many advantages, some disadvantages are that you will
-sharp no longer see packet and byte counts against IPs and it makes identifying
-sharp blocked/allowed IPs that little bit harder
-sharp
-sharp Note: If you mainly use IP address only entries in csf.deny, you can increase
-sharp the value of DENY_IP_LIMIT significantly if you wish
-sharp 
-sharp Note: It"s highly unlikely that ipset will function on Virtuozzo/OpenVZ
-sharp containers even if it has been installed
-sharp
-sharp If you find any problems, please post on forums.configserver.com with full
-sharp details of the issue
LF_IPSET = "0"

-sharp Versions of iptables greater or equal to v1.4.20 should support the --wait
-sharp option. This forces iptables commands that use the option to wait until a
-sharp lock by any other process using iptables completes, rather than simply
-sharp failing
-sharp
-sharp Enabling this feature will add the --wait option to iptables commands
-sharp
-sharp NOTE: The disadvantage of using this option is that any iptables command that
-sharp uses it will hang until the lock is released. This could cause a cascade of
-sharp hung processes trying to issue iptables commands. To try and avoid this issue
-sharp csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger
-sharp a failure if reached
WAITLOCK = "1"
WAITLOCK_TIMEOUT = "300"

-sharp The following sets the hashsize for ipset sets, which must be a power of 2.
-sharp
-sharp Note: Increasing this value will consume more memory for all sets
-sharp Default: "1024"
LF_IPSET_HASHSIZE = "1024"

-sharp The following sets the maxelem for ipset sets.
-sharp
-sharp Note: Increasing this value will consume more memory for all sets
-sharp Default: "65536"
LF_IPSET_MAXELEM = "65536"

-sharp If you enable this option then whenever a CLI request to restart csf is used
-sharp lfd will restart csf instead within LF_PARSE seconds
-sharp
-sharp This feature can be helpful for restarting configurations that cannot use
-sharp FASTSTART
LFDSTART = "0"

-sharp Enable verbose output of iptables commands
VERBOSE = "1"

-sharp Drop out of order packets and packets in an INVALID state in iptables
-sharp connection tracking
PACKET_FILTER = "1"

-sharp Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)
LF_LOOKUPS = "1"

-sharp Custom styling is possible in the csf UI. See the readme.txt for more
-sharp information under "UI skinning and Mobile View"
-sharp
-sharp This option enables the use of custom styling. If the styling fails to work
-sharp correctly, e.g. custom styling does not take into account a change in the
-sharp standard csf UI, then disabling this option will return the standard UI
STYLE_CUSTOM = "0"

-sharp This option disables the presence of the Mobile View in the csf UI
STYLE_MOBILE = "1"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:SMTP Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Block outgoing SMTP except for root, exim and mailman (forces scripts/users
-sharp to use the exim/sendmail binary instead of sockets access). This replaces the
-sharp protection as WHM > Tweak Settings > SMTP Tweaks
-sharp
-sharp This option uses the iptables ipt_owner/xt_owner module and must be loaded
-sharp for it to work. It may not be available on some VPS platforms
-sharp
-sharp Note: Run /etc/csf/csftest.pl to check whether this option will function on
-sharp this server
SMTP_BLOCK = "0"

-sharp If SMTP_BLOCK is enabled but you want to allow local connections to port 25
-sharp on the server (e.g. for webmail or web scripts) then enable this option to
-sharp allow outgoing SMTP connections to the loopback device
SMTP_ALLOWLOCAL = "1"

-sharp This option redirects outgoing SMTP connections destined for remote servers
-sharp for non-bypass users to the local SMTP server to force local relaying of
-sharp email. Such email may require authentication (SMTP AUTH)
SMTP_REDIRECT = "0"

-sharp This is a comma separated list of the ports to block. You should list all
-sharp ports that exim is configured to listen on
SMTP_PORTS = "25,465,587"

-sharp Always allow the following comma separated users and groups to bypass
-sharp SMTP_BLOCK
-sharp
-sharp Note: root (UID:0) is always allowed
SMTP_ALLOWUSER = ""
SMTP_ALLOWGROUP = "mail,mailman"

-sharp This option will only allow SMTP AUTH to be advertised to the IP addresses
-sharp listed in /etc/csf/csf.smtpauth on EXIM mail servers
-sharp
-sharp The additional option CC_ALLOW_SMTPAUTH can be used with this option to
-sharp additionally restrict access to specific countries
-sharp
-sharp This is to help limit attempts at distributed attacks against SMTP AUTH which
-sharp are difficult to achive since port 25 needs to be open to relay email
-sharp
-sharp The reason why this works is that if EXIM does not advertise SMTP AUTH on a
-sharp connection, then SMTP AUTH will not accept logins, defeating the attacks
-sharp without restricting mail relaying
-sharp
-sharp Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
-sharp that the lookup file in /etc/exim.smtpauth is regenerated from the
-sharp information from /etc/csf/csf.smtpauth plus any countries listed in
-sharp CC_ALLOW_SMTPAUTH
-sharp
-sharp NOTE: To make this option work you MUST make the modifications to exim.conf
-sharp as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
-sharp after enabling the option here, otherwise this option will not work
-sharp
-sharp To enable this option, set to 1 and make the exim configuration changes
-sharp To disable this option, set to 0 and undo the exim configuration changes
SMTPAUTH_RESTRICT = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Port Flood Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Enable SYN Flood Protection. This option configures iptables to offer some
-sharp protection from tcp SYN packet DOS attempts. You should set the RATE so that
-sharp false-positives are kept to a minimum otherwise visitors may see connection
-sharp issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
-sharp man page for the correct --limit rate syntax
-sharp
-sharp Note: This option should ONLY be enabled if you know you are under a SYN
-sharp flood attack as it will slow down all new connections from any IP address to
-sharp the server if triggered
SYNFLOOD = "0"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"

-sharp Connection Limit Protection. This option configures iptables to offer more
-sharp protection from DOS attacks against specific ports. It can also be used as a
-sharp way to simply limit resource usage by IP address to specific server services.
-sharp This option limits the number of concurrent new connections per IP address
-sharp that can be made to specific ports
-sharp
-sharp This feature does not work on servers that do not have the iptables module
-sharp xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
-sharp server admins should check with their VPS host provider that the iptables
-sharp module is included
-sharp
-sharp For further information and syntax refer to the Connection Limit Protection
-sharp section of the csf readme.txt
-sharp
-sharp Note: Run /etc/csf/csftest.pl to check whether this option will function on
-sharp this server
Nginx Firewall
May.22,2021

the rest of the csf.conf configuration 

CONNLIMIT = ""

-sharp Port Flood Protection. This option configures iptables to offer protection
-sharp from DOS attacks against specific ports. This option limits the number of
-sharp new connections per time interval that can be made to specific ports
-sharp
-sharp This feature does not work on servers that do not have the iptables module
-sharp ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
-sharp server admins should check with their VPS host provider that the iptables
-sharp module is included
-sharp
-sharp For further information and syntax refer to the Port Flood Protection
-sharp section of the csf readme.txt
-sharp
-sharp Note: Run /etc/csf/csftest.pl to check whether this option will function on
-sharp this server
PORTFLOOD = "22;tcp;5;300,80;tcp;500;5"

-sharp Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
-sharp These typically originate from exploit scripts uploaded through vulnerable
-sharp web scripts. Care should be taken on servers that use services that utilise
-sharp high levels of UDP outbound traffic, such as SNMP, so you may need to alter
-sharp the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
-sharp
-sharp We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
UDPFLOOD = "0"
UDPFLOOD_LIMIT = "100/s"
UDPFLOOD_BURST = "500"

-sharp This is a list of usernames that should not be rate limited, such as "named"
-sharp to prevent bind traffic from being limited.
-sharp
-sharp Note: root (UID:0) is always allowed
UDPFLOOD_ALLOWUSER = "named"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Logging Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
-sharp perl module Sys::Syslog installed to use this feature
SYSLOG = "0"

-sharp Drop target for incoming iptables rules. This can be set to either DROP or
-sharp REJECT. REJECT will send back an error packet, DROP will not respond at all.
-sharp REJECT is more polite, however it does provide extra information to a hacker
-sharp and lets them know that a firewall is blocking their attempts. DROP hangs
-sharp their connection, thereby frustrating attempts to port scan the server
DROP = "DROP"

-sharp Drop target for outgoing iptables rules. This can be set to either DROP or
-sharp REJECT as with DROP, however as such connections are from this server it is
-sharp better to REJECT connections to closed ports rather than to DROP them. This
-sharp helps to immediately free up server resources rather than tying them up until
-sharp a connection times out. It also tells the process making the connection that
-sharp it has immediately failed
-sharp
-sharp It is possible that some monolithic kernels may not support the REJECT
-sharp target. If this is the case, csf checks before using REJECT and falls back to
-sharp using DROP, issuing a warning to set this to DROP instead
DROP_OUT = "REJECT"

-sharp Enable logging of dropped connections to blocked ports to syslog, usually
-sharp /var/log/messages. This option needs to be enabled to use Port Scan Tracking
DROP_LOGGING = "1"

-sharp Enable logging of dropped incoming connections from blocked IP addresses
-sharp
-sharp This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
DROP_IP_LOGGING = "0"

-sharp Enable logging of dropped outgoing connections
-sharp
-sharp Note: Only outgoing SYN packets for TCP connections are logged, other
-sharp protocols log all packets
-sharp
-sharp We recommend that you enable this option
DROP_OUT_LOGGING = "1"

-sharp Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting
-sharp out (where available) which can help track abuse
DROP_UID_LOGGING = "1"

-sharp Only log incoming reserved port dropped connections (0:1023). This can reduce
-sharp the amount of log noise from dropped connections, but will affect options
-sharp such as Port Scan Tracking (PS_INTERVAL)
DROP_ONLYRES = "0"

-sharp Commonly blocked ports that you do not want logging as they tend to just fill
-sharp up the log file. These ports are specifically blocked (applied to TCP and UDP
-sharp protocols) for incoming connections
DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"

-sharp Log packets dropped by the packet filtering option PACKET_FILTER
DROP_PF_LOGGING = "0"

-sharp Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
-sharp this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
-sharp addresses breaking the Connection Limit Protection will be blocked
CONNLIMIT_LOGGING = "0"

-sharp Enable logging of UDP floods. This should be enabled, especially with User ID
-sharp Tracking enabled
UDPFLOOD_LOGGING = "1"

-sharp Send an alert if log file flooding is detected which causes lfd to skip log
-sharp lines to prevent lfd from looping. If this alert is sent you should check the
-sharp reported log file for the reason for the flooding
LOGFLOOD_ALERT = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Reporting Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp By default, lfd will send alert emails using the relevant alert template to
-sharp the To: address configured within that template. Setting the following
-sharp option will override the configured To: field in all lfd alert emails
-sharp
-sharp Leave this option empty to use the To: field setting in each alert template
LF_ALERT_TO = ""

-sharp By default, lfd will send alert emails using the relevant alert template from
-sharp the From: address configured within that template. Setting the following
-sharp option will override the configured From: field in all lfd alert emails
-sharp
-sharp Leave this option empty to use the From: field setting in each alert template
LF_ALERT_FROM = ""

-sharp By default, lfd will send all alerts using the SENDMAIL binary. To send using
-sharp SMTP directly, you can set the following to a relaying SMTP server, e.g.
-sharp "127.0.0.1". Leave this setting blank to use SENDMAIL
LF_ALERT_SMTP = ""

-sharp Block Reporting. lfd can run an external script when it performs and IP
-sharp address block following for example a login failure. The following setting
-sharp is to the full path of the external script which must be executable. See
-sharp readme.txt for format details
-sharp
-sharp Leave this setting blank to disable
BLOCK_REPORT = ""

-sharp To also run an external script when a temporary block is unblocked. The
-sharp following setting can be the full path of the external script which must be
-sharp executable. See readme.txt for format details
-sharp
-sharp Leave this setting blank to disable
UNBLOCK_REPORT = ""

-sharp In addition to the standard lfd email alerts, you can additionally enable the
-sharp sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only
-sharp block alert messages will be sent. The reports use our schema at:
-sharp https://download.configserver.com/abuse_login-attack_0.2.json
-sharp
-sharp These reports are in a format accepted by many Netblock owners and should
-sharp help them investigate abuse. This option is not designed to automatically
-sharp forward these reports to the Netblock owners and should be checked for
-sharp false-positive blocks before reporting
-sharp
-sharp If available, the report will also include the abuse contact for the IP from
-sharp the Abusix Contact DB: https://abusix.com/contactdb.html
-sharp
-sharp Note: The following block types are not reported through this feature:
-sharp LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
X_ARF = "0"

-sharp By default, lfd will send emails from the root forwarder. Setting the
-sharp following option will override this
X_ARF_FROM = ""

-sharp By default, lfd will send emails to the root forwarder. Setting the following
-sharp option will override this
X_ARF_TO = ""

-sharp If you want to automatically send reports to the abuse contact where found,
-sharp you can enable the following option
-sharp
-sharp Note: You MUST set X_ARF_FROM to a valid email address for this option to
-sharp work. This is so that the abuse contact can reply to the report
-sharp
-sharp However, you should be aware that without manual checking you could be
-sharp reporting innocent IP addresses, including your own clients, yourself and
-sharp your own servers
-sharp
-sharp Additionally, just because a contact address is found, does not mean that
-sharp there is anyone on the end of it reading, processing or acting on such
-sharp reports and you could conceivably reported for sending spam
-sharp
-sharp We do not recommend enabling this option. Abuse reports should be checked and
-sharp verified before being forwarded to the abuse contact
X_ARF_ABUSE = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Temp to Perm/Netblock Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Temporary to Permanent IP blocking. The following enables this feature to
-sharp permanently block IP addresses that have been temporarily blocked more than
-sharp LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
-sharp LF_PERMBLOCK  to "1" to enable this feature
-sharp
-sharp Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
-sharp at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
-sharp (TTL) for blocked IPs, to be effective
-sharp
-sharp Set LF_PERMBLOCK to "0" to disable this feature
LF_PERMBLOCK = "1"
LF_PERMBLOCK_INTERVAL = "86400"
LF_PERMBLOCK_COUNT = "4"
LF_PERMBLOCK_ALERT = "1"

-sharp Permanently block IPs by network class. The following enables this feature
-sharp to permanently block classes of IP address where individual IP addresses
-sharp within the same class LF_NETBLOCK_CLASS have already been blocked more than
-sharp LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
-sharp LF_NETBLOCK  to "1" to enable this feature
-sharp
-sharp This can be an affective way of blocking DDOS attacks launched from within
-sharp the same network class
-sharp
-sharp Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
-sharp consideration is required when blocking network classes A or B
-sharp
-sharp Set LF_NETBLOCK to "0" to disable this feature
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
LF_NETBLOCK_ALERT = "1"

-sharp Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24"
-sharp Great care should be taken with IPV6 netblock ranges due to the large number
-sharp of addresses involved
-sharp
-sharp To disable IPv6 netblocks set to ""
LF_NETBLOCK_IPV6 = ""

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Global Lists/DYNDNS/Blocklists
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
-sharp SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
-sharp chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
-sharp chain, then flush and delete the old dynamic chain and rename the new chain.
-sharp
-sharp This prevents a small window of opportunity opening when an update occurs and
-sharp the dynamic chain is flushed for the new rules.
-sharp
-sharp This option should not be enabled on servers with long dynamic chains (e.g.
-sharp CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
-sharp Virtuozzo VPS servers with a restricted numiptent value. This is because each
-sharp chain will effectively be duplicated while the update occurs, doubling the
-sharp number of iptables rules
SAFECHAINUPDATE = "0"

-sharp If you wish to allow access from dynamic DNS records (for example if your IP
-sharp address changes whenever you connect to the internet but you have a dedicated
-sharp dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
-sharp records in csf.dyndns and then set the following to the number of seconds to
-sharp poll for a change in the IP address. If the IP address has changed iptables
-sharp will be updated.
-sharp
-sharp If the FQDN has multiple A records then all of the IP addresses will be
-sharp processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
-sharp also be allowed.
-sharp 
-sharp A setting of 600 would check for IP updates every 10 minutes. Set the value
-sharp to 0 to disable the feature
DYNDNS = "0"

-sharp To always ignore DYNDNS IP addresses in lfd blocking, set the following
-sharp option to 1
DYNDNS_IGNORE = "0"

-sharp The follow Global options allow you to specify a URL where csf can grab a
-sharp centralised copy of an IP allow or deny block list of your own. You need to
-sharp specify the full URL in the following options, i.e.:
-sharp http://www.somelocation.com/allow.txt
-sharp
-sharp The actual retrieval of these IP's is controlled by lfd, so you need to set
-sharp LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
-sharp will perform the retrieval when it runs and then again at the specified
-sharp interval. A sensible interval would probably be every 3600 seconds (1 hour).
-sharp A minimum value of 300 is enforced for LF_GLOBAL if enabled
-sharp
-sharp You do not have to specify both an allow and a deny file
-sharp
-sharp You can also configure a global ignore file for IP's that lfd should ignore
LF_GLOBAL = "0"

GLOBAL_ALLOW = ""
GLOBAL_DENY = ""
GLOBAL_IGNORE = ""

-sharp Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
-sharp this to the URL of the file containing DYNDNS entries
GLOBAL_DYNDNS = ""

-sharp Set the following to the number of seconds to poll for a change in the IP
-sharp address resoved from GLOBAL_DYNDNS
GLOBAL_DYNDNS_INTERVAL = "600"

-sharp To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
-sharp option to 1
GLOBAL_DYNDNS_IGNORE = "0"

-sharp Blocklists are controlled by modifying /etc/csf/csf.blocklists
-sharp
-sharp If you don't want BOGON rules applied to specific NICs, then list them in
-sharp a comma separated list (e.g "eth1,eth2")
LF_BOGON_SKIP = ""

-sharp The following option can be used to select either HTTP::Tiny or
-sharp LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than
-sharp LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may
-sharp have to be installed manually, but it can better support https:// URL's
-sharp which also needs the LWP::Protocol::https perl module
-sharp
-sharp For example:
-sharp
-sharp On rpm based systems:
-sharp 
-sharp   yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
-sharp
-sharp On APT based systems:
-sharp
-sharp   apt-get install libwww-perl liblwp-protocol-https-perl
-sharp
-sharp Via cpan:
-sharp
-sharp   perl -MCPAN -eshell
-sharp   cpan> install LWP LWP::Protocol::https
-sharp
-sharp We recommend setting this set to "2" as upgrades to csf will be performed
-sharp over SSL to https://download.configserver.com
-sharp
-sharp "1" = HTTP::Tiny
-sharp "2" = LWP::UserAgent
URLGET = "2"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Country Code Lists and Settings
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Country Code to CIDR allow/deny. In the following two options you can allow
-sharp or deny whole country CIDR ranges. The CIDR blocks are generated from the
-sharp MaxMind GeoLite2 Country database at:
-sharp https://dev.MaxMind.com/geoip/geoip2/geolite2/
-sharp This feature relies entirely on that service being available
-sharp
-sharp Specify the the two-letter ISO Country Code(s). The iptables rules are for
-sharp incoming connections only
-sharp
-sharp Additionally, ASN numbers can also be added to the comma separated lists
-sharp below that also list Country Codes. The same WARNINGS for Country Codes apply
-sharp to the use of ASNs. More about Autonomous System Numbers (ASN):
-sharp http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
-sharp
-sharp You should consider using LF_IPSET when using any of the following options
-sharp
-sharp WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
-sharp non-geographic IP address designations for their clients
-sharp
-sharp WARNING: Some of the CIDR lists are huge and each one requires a rule within
-sharp the incoming iptables chain. This can result in significant performance
-sharp overheads and could render the server inaccessible in some circumstances. For
-sharp this reason (amongst others) we do not recommend using these options
-sharp
-sharp WARNING: Due to the resource constraints on VPS servers this feature should
-sharp not be used on such systems unless you choose very small CC zones
-sharp
-sharp WARNING: CC_ALLOW allows access through all ports in the firewall. For this
-sharp reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
-sharp preferred
-sharp
-sharp Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""

-sharp An alternative to CC_ALLOW is to only allow access from the following
-sharp countries but still filter based on the port and packets rules. All other
-sharp connections are dropped
CC_ALLOW_FILTER = ""

-sharp This option allows access from the following countries to specific ports
-sharp listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
-sharp
-sharp Note: The rules for this feature are inserted after the allow and deny
-sharp rules to still allow blocking of IP addresses
-sharp
-sharp Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_ALLOW_PORTS = ""

-sharp All listed ports should be removed from TCP_IN/UDP_IN to block access from
-sharp elsewhere. This option uses the same format as TCP_IN/UDP_IN
-sharp
-sharp An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
-sharp then only counties listed in CC_ALLOW_PORTS can access FTP
CC_ALLOW_PORTS_TCP = ""
CC_ALLOW_PORTS_UDP = ""

-sharp This option denies access from the following countries to specific ports
-sharp listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
-sharp
-sharp Note: The rules for this feature are inserted after the allow and deny
-sharp rules to still allow allowing of IP addresses
-sharp
-sharp Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY_PORTS = ""

-sharp This option uses the same format as TCP_IN/UDP_IN. The ports listed should
-sharp NOT be removed from TCP_IN/UDP_IN
-sharp
-sharp An example would be to list port 21 here then counties listed in
-sharp CC_DENY_PORTS cannot access FTP
CC_DENY_PORTS_TCP = ""
CC_DENY_PORTS_UDP = ""

-sharp This Country Code list will prevent lfd from blocking IP address hits for the
-sharp listed CC's
-sharp
-sharp CC_LOOKUPS must be enabled to use this option
CC_IGNORE = ""

-sharp This Country Code list will only allow SMTP AUTH to be advertised to the
-sharp listed countries in EXIM. This is to help limit attempts at distributed
-sharp attacks against SMTP AUTH which are difficult to achive since port 25 needs
-sharp to be open to relay email
-sharp
-sharp The reason why this works is that if EXIM does not advertise SMTP AUTH on a
-sharp connection, then SMTP AUTH will not accept logins, defeating the attacks
-sharp without restricting mail relaying
-sharp
-sharp This option can generate a very large list of IP addresses that could easily
-sharp severely impact on SMTP (mail) performance, so care must be taken when
-sharp selecting countries and if performance issues ensue
-sharp
-sharp The option SMTPAUTH_RESTRICT must be enabled to use this option
CC_ALLOW_SMTPAUTH = ""

-sharp Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
-sharp than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
-sharp help reduce the number of CC entries and may improve iptables throughput.
-sharp Obviously, this will deny/allow fewer IP addresses depending on how small you
-sharp configure the option
-sharp
-sharp For example, to ignore all CIDR (and single IP) entries small than a /16, set
-sharp this option to "16". Set to "" to block all CC IP addresses
CC_DROP_CIDR = ""

-sharp Display Country Code and Country for reported IP addresses. This option can
-sharp be configured to use the MaxMind Country Database or the more detailed (and
-sharp much larger and therefore slower) MaxMind City Database. An additional option
-sharp is also available if you cannot use the MaxMind databases
-sharp
-sharp "0" - disable
-sharp "1" - Reports: Country Code and Country
-sharp "2" - Reports: Country Code and Country and Region and City
-sharp "3" - Reports: Country Code and Country and Region and City and ASN
-sharp "4" - Reports: Country Code and Country and Region and City (freegeoip.net)
-sharp
-sharp Note: "4" does not use the MaxMind databases directly for lookups. Instead it
-sharp uses a URL-based lookup from a third-party provider at https://freegeoip.net
-sharp and so avoids having to download and process the large databases. Please
-sharp visit the https://freegeoip.net and read their limitations and respect that
-sharp this option will either cease to function or be removed by us if that site is
-sharp abused or overloaded. ONLY use this option if you have difficulties using the
-sharp MaxMind databases. This option is ONLY for IP lookups, NOT when using the
-sharp CC_* options above, which will continue to use the MaxMind databases
-sharp
CC_LOOKUPS = "1"

-sharp Display Country Code and Country for reported IPv6 addresses using the
-sharp MaxMind Country IPv6 Database
-sharp
-sharp "0" - disable
-sharp "1" - enable and report the detail level as specified in CC_LOOKUPS
-sharp
-sharp This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and
-sharp PORTFLOOD
CC6_LOOKUPS = "0"

-sharp This option tells lfd how often to retrieve the MaxMind GeoLite2 Country
-sharp database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
-sharp days)
CC_INTERVAL = "14"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Login Failure Blocking and Alerts
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp The following[*] triggers are application specific. If you set LF_TRIGGER to
-sharp "0" the value of each trigger is the number of failures against that
-sharp application that will trigger lfd to block the IP address
-sharp
-sharp If you set LF_TRIGGER to a value greater than "0" then the following[*]
-sharp application triggers are simply on or off ("0" or "1") and the value of
-sharp LF_TRIGGER is the total cumulative number of failures that will trigger lfd
-sharp to block the IP address
-sharp
-sharp Setting the application trigger to "0" disables it
LF_TRIGGER = "0"

-sharp If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
-sharp block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
-sharp "1" and the IP address will be blocked temporarily for that value in seconds.
-sharp For example:
-sharp LF_TRIGGER_PERM = "1" => the IP is blocked permanently
-sharp LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
-sharp
-sharp If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
-sharp in the same way as above and LF_TRIGGER_PERM serves no function
LF_TRIGGER_PERM = "1"

-sharp To only block access to the failed application instead of a complete block
-sharp for an ip address, you can set the following to "1", but LF_TRIGGER must be
-sharp set to "0" with specific application[*] trigger levels also set appropriately
-sharp
-sharp The ports that are blocked can be configured by changing the PORTS_* options
LF_SELECT = "0"

-sharp Send an email alert if an IP address is blocked by one of the [*] triggers
LF_EMAIL_ALERT = "1"

-sharp [*]Enable login failure detection of sshd connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_SSHD = "5"
LF_SSHD_PERM = "1"

-sharp [*]Enable login failure detection of ftp connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_FTPD = "10"
LF_FTPD_PERM = "1"

-sharp [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"

-sharp [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"

-sharp [*]Enable login failure detection of pop3 connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = "0"
LF_POP3D_PERM = "1"

-sharp [*]Enable login failure detection of imap connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = "0"
LF_IMAPD_PERM = "1"

-sharp [*]Enable login failure detection of Apache .htpasswd connections
-sharp Due to the often high logging rate in the Apache error log, you might want to
-sharp enable this option only if you know you are suffering from attacks against
-sharp password protected directories
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"

-sharp [*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"

-sharp [*]Enable detection of repeated BIND denied requests
-sharp This option should be enabled with care as it will prevent blocked IPs from
-sharp resolving any domains on the server. You might want to set the trigger value
-sharp reasonably high to avoid this
-sharp Example: LF_BIND = "100"
LF_BIND = "0"
LF_BIND_PERM = "1"

-sharp [*]Enable detection of repeated suhosin ALERTs
-sharp Example: LF_SUHOSIN = "5"
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_SUHOSIN = "0"
LF_SUHOSIN_PERM = "1"

-sharp [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
-sharp This option will block IP addresses if cxs detects a hits from the
-sharp ModSecurity rule associated with it
-sharp
-sharp Note: This option takes precedence over LF_MODSEC and removes any hits
-sharp counted towards LF_MODSEC for the cxs rule
-sharp
-sharp This setting should probably set very low, perhaps to 1, if you want to
-sharp effectively block IP addresses for this trigger option
LF_CXS = "0"
LF_CXS_PERM = "1"

-sharp [*]Enable detection of repeated Apache mod_qos rule triggers
LF_QOS = "0"
LF_QOS_PERM = "1"

-sharp [*]Enable detection of repeated Apache symlink race condition triggers from
-sharp the Apache patch provided by:
-sharp http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
-sharp This patch has also been included by cPanel via the easyapache option:
-sharp "Symlink Race Condition Protection"
LF_SYMLINK = "0"
LF_SYMLINK_PERM = "1"

-sharp [*]Enable login failure detection of webmin connections
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN = "0"
LF_WEBMIN_PERM = "1"

-sharp Send an email alert if anyone logs in successfully using SSH
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_SSH_EMAIL_ALERT = "1"

-sharp Send an email alert if anyone uses su to access another account. This will
-sharp send an email alert whether the attempt to use su was successful or not
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_SU_EMAIL_ALERT = "1"

-sharp Send an email alert if anyone accesses webmin
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN_EMAIL_ALERT = "1"

-sharp Send an email alert if anyone logs in successfully to root on the console
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_CONSOLE_EMAIL_ALERT = "1"

-sharp This option will keep track of the number of "File does not exist" errors in
-sharp HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
-sharp seconds then the IP address will be blocked
-sharp
-sharp Care should be used with this option as it could generate many
-sharp false-positives, especially Search Bots (use csf.rignore to ignore such bots)
-sharp so only use this option if you know you are under this type of attack
-sharp
-sharp A sensible setting for this would be quite high, perhaps 200
-sharp
-sharp To disable set to "0"
LF_APACHE_404 = "0"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_APACHE_404_PERM = "3600"

-sharp This option will keep track of the number of "client denied by server
-sharp configuration" errors in HTACCESS_LOG. If the number of hits is more than
-sharp LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
-sharp
-sharp Care should be used with this option as it could generate many
-sharp false-positives, especially Search Bots (use csf.rignore to ignore such bots)
-sharp so only use this option if you know you are under this type of attack
-sharp
-sharp A sensible setting for this would be quite high, perhaps 200
-sharp
-sharp To disable set to "0"
LF_APACHE_403 = "0"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_APACHE_403_PERM = "3600"

-sharp This option will keep track of the number of 401 failures in HTACCESS_LOG.
-sharp If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then
-sharp the IP address will be blocked
-sharp
-sharp To disable set to "0"
LF_APACHE_401 = "0"

-sharp This option is used to determine if the Apache error_log format contains the
-sharp client port after the client IP. In Apache prior to v2.4, this was not the
-sharp case. In Apache v2.4+ the error_log format can be configured using
-sharp ErrorLogFormat, making the port directive optional
-sharp
-sharp Unfortunately v2.4 ErrorLogFormat places the port number after a colon next
-sharp to the client IP by default. This makes determining client IPv6 addresses
-sharp difficult unless we know whether the port is being appended or not
-sharp
-sharp lfd will attempt to autodetect the correct value if this option is set to "0"
-sharp from the httpd binary found in common locations. If it fails to find a binary
-sharp it will be set to "2", unless specified here
-sharp
-sharp The value can be set here explicitly if the autodetection does not work:
-sharp 0 - autodetect
-sharp 1 - no port directive after client IP
-sharp 2 - port directive after client IP
LF_APACHE_ERRPORT = "0"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_APACHE_401_PERM = "3600"

-sharp This option will send an alert if the ModSecurity IP persistent storage grows
-sharp excessively large: https://goo.gl/rGh5sF
-sharp
-sharp More information on cPanel servers here: https://goo.gl/vo6xTE
-sharp
-sharp LF_MODSECIPDB_FILE must be set to the correct location of the database file
-sharp
-sharp The check is performed at lfd startup and then once per hour, the template
-sharp used is modsecipdbalert.txt
-sharp
-sharp Set to "0" to disable this option, otherwise it is the threshold size of the
-sharp file to report in gigabytes, e.g. set to 5 for 5GB
LF_MODSECIPDB_ALERT = "0"

-sharp This is the location of the persistent IP storage file on the server, e.g.:
-sharp /var/run/modsecurity/data/ip.pag
-sharp /var/cpanel/secdatadir/ip.pag
-sharp /var/cache/modsecurity/ip.pag
-sharp /usr/local/apache/conf/modsec/data/msa/ip.pag
-sharp /var/tmp/ip.pag
-sharp /tmp/ip.pag
LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"

-sharp System Exploit Checking. This option is designed to perform a series of tests
-sharp to send an alert in case a possible server compromise is detected
-sharp
-sharp To enable this feature set the following to the checking interval in seconds
-sharp (a value of 300 would seem sensible).
-sharp
-sharp To disable set to "0"
LF_EXPLOIT = "300"

-sharp This comma separated list allows you to ignore tests LF_EXPLOIT performs
-sharp
-sharp For the SUPERUSER check, you can list usernames in csf.suignore to have them
-sharp ignored for that test
-sharp
-sharp Valid tests are:
-sharp SUPERUSER,SSHDSPAM
-sharp
-sharp If you want to ignore a test add it to this as a comma separated list, e.g.
-sharp "SUPERUSER,SSHDSPAM"
LF_EXPLOIT_IGNORE = ""

-sharp Set the time interval to track login and other LF_ failures within (seconds),
-sharp i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
LF_INTERVAL = "3600"

-sharp This is how long the lfd process sleeps (in seconds) before processing the
-sharp log file entries and checking whether other events need to be triggered
LF_PARSE = "5"

-sharp This is the interval that is used to flush reports of usernames, files and
-sharp pids so that persistent problems continue to be reported, in seconds.
-sharp A value of 3600 seems sensible
LF_FLUSH = "3600"

-sharp Under some circumstances iptables can fail to include a rule instruction,
-sharp especially if more than one request is made concurrently. In this event, a
-sharp permanent block entry may exist in csf.deny, but not in iptables.
-sharp
-sharp This option instructs csf to deny an already blocked IP address the number
-sharp of times set. The downside, is that there will be multiple entries for an IP
-sharp address in csf.deny and possibly multiple rules for the same IP address in
-sharp iptables. This needs to be taken into consideration when unblocking such IP
-sharp addresses.
-sharp
-sharp Set to "0" to disable this feature. Do not set this too high for the reasons
-sharp detailed above (e.g. "5" should be more than enough)
LF_REPEATBLOCK = "0"

-sharp By default csf will create both an inbound and outbound blocks from/to an IP
-sharp unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
-sharp effective way to block IP traffic. This option instructs csf to only block
-sharp inbound traffic from those IP's and so reduces the number of iptables rules,
-sharp but at the expense of less effectiveness. For this reason we recommend
-sharp leaving this option disabled
-sharp 
-sharp Set to "0" to disable this feature - the default
LF_BLOCKINONLY = "0"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:CloudFlare
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp This features provides interaction with the CloudFlare Firewall
-sharp
-sharp As CloudFlare is a reverse proxy, any attacking IP addresses (so far as 
-sharp iptables is concerned) come from the CloudFlare IP's. To counter this, an
-sharp Apache module (mod_cloudflare) is available that obtains the true attackers
-sharp IP from a custom HTTP header record (similar functionality is available
-sharp for other HTTP daemons
-sharp
-sharp However, despite now knowing the true attacking IP address, iptables cannot
-sharp be used to block that IP as the traffic is still coming from the CloudFlare
-sharp servers
-sharp
-sharp CloudFlare have provided a Firewall feature within the user account where
-sharp rules can be added to block, challenge or whitelist IP addresses
-sharp
-sharp Using the CloudFlare API, this feature adds and removes attacking IPs from
-sharp that firewall and provides CLI (and via the UI) additional commands
-sharp
-sharp See /etc/csf/readme.txt for more information about this feature and the
-sharp restrictions for its use BEFORE enabling this feature
CF_ENABLE = "0"

-sharp This can be set to either "block" or "challenge" (see CloudFlare docs)
CF_BLOCK = "block"

-sharp This setting determines how long the temporary block will apply within csf
-sharp and CloudFlare, keeping them in sync
-sharp
-sharp Block duration in seconds - overrides perm block or time of individual blocks
-sharp in lfd for block triggers
CF_TEMP = "3600"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Directory Watching & Integrity 
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Enable Directory Watching. This enables lfd to check /tmp and /dev/shm
-sharp directories for suspicious files, i.e. script exploits. If a suspicious
-sharp file is found an email alert is sent. One alert per file per LF_FLUSH
-sharp interval is sent
-sharp
-sharp To enable this feature set the following to the checking interval in seconds.
-sharp To disable set to "0"
LF_DIRWATCH = "300"

-sharp To remove any suspicious files found during directory watching, enable the
-sharp following. These files will be appended to a tarball in
-sharp /var/lib/csf/suspicious.tar
LF_DIRWATCH_DISABLE = "0"

-sharp This option allows you to have lfd watch a particular file or directory for
-sharp changes and should they change and email alert using watchalert.txt is sent
-sharp
-sharp To enable this feature set the following to the checking interval in seconds
-sharp (a value of 60 would seem sensible) and add your entries to csf.dirwatch
-sharp
-sharp Set to disable set to "0"
LF_DIRWATCH_FILE = "0"

-sharp System Integrity Checking. This enables lfd to compare md5sums of the
-sharp servers OS binary application files from the time when lfd starts. If the
-sharp md5sum of a monitored file changes an alert is sent. This option is intended
-sharp as an IDS (Intrusion Detection System) and is the last line of detection for
-sharp a possible root compromise.
-sharp
-sharp There will be constant false-positives as the servers OS is updated or
-sharp monitored application binaries are updated. However, unexpected changes
-sharp should be carefully inspected.
-sharp
-sharp Modified files will only be reported via email once.
-sharp
-sharp To enable this feature set the following to the checking interval in seconds
-sharp (a value of 3600 would seem sensible). This option may increase server I/O
-sharp load onto the server as it checks system binaries.
-sharp
-sharp To disable set to "0"
LF_INTEGRITY = "3600"

-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp SECTION:Distributed Attacks
-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp-sharp
-sharp Distributed Account Attack. This option will keep track of login failures
-sharp from distributed IP addresses to a specific application account. If the
-sharp number of failures matches the trigger value above, ALL of the IP addresses
-sharp involved in the attack will be blocked according to the temp/perm rules above
-sharp
-sharp Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, 
-sharp LF_HTACCESS
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_DISTATTACK = "0"

-sharp Set the following to the minimum number of unique IP addresses that trigger
-sharp LF_DISTATTACK
LF_DISTATTACK_UNIQ = "2"

-sharp Distributed FTP Logins. This option will keep track of successful FTP logins.
-sharp If the number of successful logins to an individual account is at least
-sharp LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
-sharp then all of the IP addresses will be blocked
-sharp
-sharp This option can help mitigate the common FTP account compromise attacks that
-sharp use a distributed network of zombies to deface websites
-sharp
-sharp A sensible setting for this might be 5, depending on how many different
-sharp IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL
-sharp
-sharp To disable set to "0"
-sharp
-sharp SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
-sharp this file about RESTRICT_SYSLOG before enabling this option:
LF_DISTFTP = "0"

-sharp Set the following to the minimum number of unique IP addresses that trigger
-sharp LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
LF_DISTFTP_UNIQ = "3"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_DISTFTP_PERM = "1"

-sharp Send an email alert if LF_DISTFTP is triggered
LF_DISTFTP_ALERT = "1"

-sharp Distributed SMTP Logins. This option will keep track of successful SMTP
-sharp logins. If the number of successful logins to an individual account is at
-sharp least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP
-sharp addresses, then all of the IP addresses will be blocked. These options only
-sharp apply to the exim MTA
-sharp
-sharp This option can help mitigate the common SMTP account compromise attacks that
-sharp use a distributed network of zombies to send spam
-sharp
-sharp A sensible setting for this might be 5, depending on how many different
-sharp IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL
-sharp
-sharp To disable set to "0"
LF_DISTSMTP = "0"

-sharp Set the following to the minimum number of unique IP addresses that trigger
-sharp LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
LF_DISTSMTP_UNIQ = "3"

-sharp If this option is set to 1 the blocks will be permanent
-sharp If this option is > 1, the blocks will be temporary for the specified number
-sharp of seconds
LF_DISTSMTP_PERM = "1"

-sharp Send an email alert if LF_DISTSMTP is triggered
LF_DISTSMTP_ALERT = "1"

-sharp This is the interval during which a distributed FTP or SMTP attack is
-sharp measured
LF_DIST_INTERVAL = "300"

-sharp If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the
-sharp path to a script, it will run the script and pass the following as arguments:
-sharp
-sharp LF_DISTFTP/LF_DISTSMTP
-sharp account name
-sharp log file text
-sharp
-sharp The action script must have the execute bit and interpreter (shebang) set
LF_DIST_ACTION = ""

refer to this article

use csf firewall to effectively block small-scale DDOS | blog- https://www.logcg.com/archive.

highlight

then add defense rules to prevent daily small amounts of ddos, of course, if the amount is large, you have to rely on hardware, right?
find the field PORTFLOOD and make the following rule:
1
PORTFLOOD = "22 br > PORTFLOOD =" 22 br > if an IP on port 22 initiates more than 20 links in 5 seconds, then ban;
if a port 80 or 443 IP initiates more than 20 links in 5 seconds, the rule here is to make a strategy (in IP) for port 22p80443 (in units of TCP):
if port 80 or port 443 initiates more than 20 links in 5 seconds, then ban. The default time for
ban is 1800 seconds.
then, csf also has a function to notify you by email after ban IP. We modify the following fields and add our own email address:
1
LF_ALERT_TO = "your-email@gmail.com"

Previous: How does css display an ellipsis on the second line (compatible with Firefox / IE)

Next: How to make angularjs render data in html?

css mysql arrays josn react html typescript webpack npm sass R objective-c .net sql-server jquery python-3.x angularjs django angular excel regex iphone ajax linux xml pandas vba spring database wordpress string wpf xcode windows bash postgresql oracle multithreading eclipse list firebase algorithm macos forms image scala visual-studio azure bootstrap spring-boot react-native python-2.7 docker performance function winforms matlab powershell apache dataframe api sqlite numpy rest shell selenium flutter dart maven loops qt swing android-studio csv express file class tensorflow sorting codeigniter perl
© 2021 CodesHelper
Advertising Contact us About us
Menu