极客观点
项目管理
HarmonyOS
请问伙伴们,自己的csf防火墙是不是出现了什么配置错误?
目前已经关闭了selinux和firewalld,自己的csf 配置如下:
###############################################################################
# SECTION:Initial Settings
###############################################################################
# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
#
# lfd will not start while this is enabled
TESTING = "0"
# The interval for the crontab in minutes. Since this uses the system clock the
# CRON job will run at the interval past the hour and not from when you issue
# the start command. Therefore an interval of 5 minutes means the firewall
# will be cleared in 0-5 minutes from the firewall start
TESTING_INTERVAL = "5"
# SECURITY WARNING
# ================
#
# Unfortunately, syslog and rsyslog allow end-users to log messages to some
# system logs via the same unix socket that other local services use. This
# means that any log line shown in these system logs that syslog or rsyslog
# maintain can be spoofed (they are exactly the same as real log lines).
#
# Since some of the features of lfd rely on such log lines, spoofed messages
# can cause false-positive matches which can lead to confusion at best, or
# blocking of any innocent IP address or making the server inaccessible at
# worst.
#
# Any option that relies on the log entries in the files listed in
# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
# vulnerable to exploitation by end-users and scripts run by end-users.
#
# NOTE: Not all log files are affected as they may not use syslog/rsyslog
#
# The option RESTRICT_SYSLOG disables all these features that rely on affected
# logs. These options are:
# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
# PORTKNOCKING_ALERT
#
# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
#
# The following options are still enabled by default on new installations so
# that, on balance, csf/lfd still provides expected levels of security:
# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
#
# If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
# above, it should be done with the knowledge that any of the those options
# that are enabled could be triggered by spoofed log lines and lead to the
# server being inaccessible in the worst case. If you do not want to take that
# risk you should set RESTRICT_SYSLOG to "1" and those features will not work
# but you will not be protected from the exploits that they normally help block
#
# The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access
# the syslog/rsyslog unix socket.
#
# For further advice on how to help mitigate these issues, see
# /etc/csf/readme.txt
#
# 0 = Allow those options listed above to be used and configured
# 1 = Disable all the options listed above and prevent them from being used
# 2 = Disable only alerts about this feature and do nothing else
# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
RESTRICT_SYSLOG = "0"
# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
# write access to the syslog/rsyslog unix socket(s). The group must not already
# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
# to a unique name for the server
#
# You can add users to this group by changing /etc/csf/csf.syslogusers and then
# restarting lfd afterwards. This will create the system group and add the
# users from csf.syslogusers if they exist to that group and will change the
# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be
# monitored and the permissions re-applied should syslog/rsyslog be restarted
#
# Using this option will prevent some legitimate logging, e.g. end-user cron
# job logs
#
# If you want to revert RESTRICT_SYSLOG to another option and disable this
# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then
# syslog/rsyslog and the unix sockets will be reset
RESTRICT_SYSLOG_GROUP = "mysyslog"
# This options restricts the ability to modify settings within this file from
# the csf UI. Should the parent control panel be compromised, these restricted
# options could be used to further compromise the server. For this reason we
# recommend leaving this option set to at least "1" and if any of the
# restricted items need to be changed, they are done so from the root shell
#
# 0 = Unrestricted UI
# 1 = Restricted UI
# 2 = Disabled UI
RESTRICT_UI = "1"
# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
# runs once per day to see if there is an update to csf+lfd and upgrades if
# available and restarts csf and lfd
#
# You should check for new version announcements at http://blog.configserver.com
AUTO_UPDATES = "1"
###############################################################################
# SECTION:IPv4 Port Settings
###############################################################################
# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).
# Some kernel/iptables setups do not perform stateful connection tracking
# correctly (typically some virtual servers or custom compiled kernels), so a
# SPI firewall will not function correctly. If this happens, LF_SPI can be set
# to 0 to reconfigure csf as a static firewall.
#
# As connection tracking will not be configured, applications that rely on it
# will not function unless all outgoing ports are opened. Therefore, all
# outgoing connections will be allowed once all other tests have completed. So
# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
#
# If you allow incoming DNS lookups you may need to use the following
# directive in the options{} section of your named.conf:
#
# query-source port 53;
#
# This will force incoming DNS traffic only through port 53
#
# Disabling this option will break firewall functionality that relies on
# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall
# less secure
#
# This option should be set to "1" in all other circumstances
LF_SPI = "1"
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,3306"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,3306"
# Allow incoming UDP ports
UDP_IN = "20,21,53"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"
# Allow incoming PING. Disabling PING will likely break external uptime
# monitoring
ICMP_IN = "1"
# Set the per IP address incoming ICMP packet rate for PING requests. This
# ratelimits PING requests which if exceeded results in silently rejected
# packets. Disable or increase this value if you are seeing PING drops that you
# do not want
#
# To disable rate limiting set to "0", otherwise set according to the iptables
# documentation for the limit module. For example, "1/s" will limit to one
# packet per second
ICMP_IN_RATE = "1/s"
# Allow outgoing PING
#
# Unless there is a specific reason, this option should NOT be disabled as it
# could break OS functionality
ICMP_OUT = "1"
# Set the per IP address outgoing ICMP packet rate for PING requests. This
# ratelimits PING requests which if exceeded results in silently rejected
# packets. Disable or increase this value if you are seeing PING drops that you
# do not want
#
# Unless there is a specific reason, this option should NOT be enabled as it
# could break OS functionality
#
# To disable rate limiting set to "0", otherwise set according to the iptables
# documentation for the limit module. For example, "1/s" will limit to one
# packet per second
ICMP_OUT_RATE = "0"
# For those with PCI Compliance tools that state that ICMP timestamps (type 13)
# should be dropped, you can enable the following option. Otherwise, there
# appears to be little evidence that it has anything to do with a security risk
# and can impact network performance, so should be left disabled by everyone
# else
ICMP_TIMESTAMPDROP = "0"
###############################################################################
# SECTION:IPv6 Port Settings
###############################################################################
# IPv6: (Requires ip6tables)
#
# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
#
# Supported:
# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS,
# SYNFLOOD, LF_NETBLOCK
#
# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled
# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,
# CC_ALLOW_SMTPAUTH
#
# Supported if ip6tables >= 1.4.3:
# PORTFLOOD, CONNLIMIT
#
# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is
# installed:
# MESSENGER DOCKER SMTP_REDIRECT
#
# Not supported:
# ICMP_IN, ICMP_OUT
#
IPV6 = "1"
# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
# traffic in the INPUT and OUTPUT chains. However, this could increase the risk
# of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
# connection types
IPV6_ICMP_STRICT = "0"
# Pre v2.6.20 kernel must set this option to "0" as no working state module is
# present, so a static firewall is configured as a fallback
#
# A workaround has been added for CentOS/RedHat v5 and custom kernels that do
# not support IPv6 connection tracking by opening ephemeral port range
# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
# same workaround implemented by RedHat in the sample default IPv6 rules
#
# As connection tracking will not be configured, applications that rely on it
# will not function unless all outgoing ports are opened. Therefore, all
# outgoing connections will be allowed once all other tests have completed. So
# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.
#
# If you allow incoming ipv6 DNS lookups you may need to use the following
# directive in the options{} section of your named.conf:
#
# query-source-v6 port 53;
#
# This will force ipv6 incoming DNS traffic only through port 53
#
# These changes are not necessary if the SPI firewall is used
IPV6_SPI = "1"
# Allow incoming IPv6 TCP ports
TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,3306"
# Allow outgoing IPv6 TCP ports
TCP6_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,3306"
# Allow incoming IPv6 UDP ports
UDP6_IN = "20,21,53"
# Allow outgoing IPv6 UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP6_OUT = "20,21,53,113,123"
###############################################################################
# SECTION:General Settings
###############################################################################
# By default, csf will auto-configure iptables to filter all traffic except on
# the loopback device. If you only want iptables rules applied to a specific
# NIC, then list it here (e.g. eth1, or eth+)
ETH_DEVICE = ""
# By adding a device to this option, ip6tables can be configured only on the
# specified device. Otherwise, ETH_DEVICE and then the default setting will be
# used
ETH6_DEVICE = ""
# If you don't want iptables rules applied to specific NICs, then list them in
# a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP = ""
# This option should be enabled unless the kernel does not support the
# "conntrack" module
#
# To use the deprecated iptables "state" module, change this to 0
USE_CONNTRACK = "1"
# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)
# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper
# This will also remove the RELATED target from the global state iptables rule
#
# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or
# the raw tables do not exist. The USE_CONNTRACK option should be enabled
#
# To enable this option, set it to your FTP server listening port number
# (normally 21), do NOT set it to "1"
USE_FTPHELPER = "0"
# Check whether syslog is running. Many of the lfd checks require syslog to be
# running correctly. This test will send a coded message to syslog every
# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded
# message. If it fails to do so within SYSLOG_CHECK seconds an alert using
# syslogalert.txt is sent
#
# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable
SYSLOG_CHECK = "0"
# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses
# listed in csf.allow in addition to csf.ignore (the default). This option
# should be used with caution as it would mean that IP's allowed through the
# firewall from infected PC's could launch attacks on the server that lfd
# would ignore
IGNORE_ALLOW = "1"
# Enable the following option if you want to apply strict iptables rules to DNS
# traffic (i.e. relying on iptables connection tracking). Enabling this option
# could cause DNS resolution issues both to and from the server but could help
# prevent abuse of the local DNS server
DNS_STRICT = "0"
# Enable the following option if you want to apply strict iptables rules to DNS
# traffic between the server and the nameservers listed in /etc/resolv.conf
# Enabling this option could cause DNS resolution issues both to and from the
# server but could help prevent abuse of the local DNS server
DNS_STRICT_NS = "0"
# Limit the number of IP's kept in the /etc/csf/csf.deny file
#
# Care should be taken when increasing this value on servers with low memory
# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
# thousands) can sometimes cause network slowdown
#
# The value set here is the maximum number of IPs/CIDRs allowed
# if the limit is reached, the entries will be rotated so that the oldest
# entries (i.e. the ones at the top) will be removed and the latest is added.
# The limit is only checked when using csf -d (which is what lfd also uses)
# Set to 0 to disable limiting
#
# For implementations wishing to set this value significantly higher, we
# recommend using the IPSET option
DENY_IP_LIMIT = "200"
# Limit the number of IP's kept in the temprary IP ban list. If the limit is
# reached the oldest IP's in the ban list will be removed and allowed
# regardless of the amount of time remaining for the block
# Set to 0 to disable limiting
DENY_TEMP_IP_LIMIT = "100"
# Enable login failure detection daemon (lfd). If set to 0 none of the
# following settings will have any effect as the daemon won't start.
LF_DAEMON = "1"
# Check whether csf appears to have been stopped and restart if necessary,
# unless TESTING is enabled above. The check is done every 300 seconds
LF_CSF = "1"
# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
# IP6TABLES_RESTORE in two ways:
#
# 1. On a clean server reboot the entire csf iptables configuration is saved
# and then restored where possible to provide a near instant firewall
# startup[*]
#
# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
# BOGON, TOR are loaded using this method in a fraction of the time than if
# this setting is disabled
#
# [*]Not supported on all OS platforms
#
# Set to "0" to disable this functionality
FASTSTART = "1"
# This option allows you to use ipset v6+ for the following csf options:
# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER
#
# ipset will only be used with the above options when listing IPs and CIDRs.
# Advanced Allow Filters and temporary blocks use traditional iptables
#
# Using ipset moves the onus of ip matching against large lists away from
# iptables rules and to a purpose built and optimised database matching
# utility. It also simplifies the switching in of updated lists
#
# To use this option you must have a fully functioning installation of ipset
# installed either via rpm or source from http://ipset.netfilter.org/
#
# Note: Using ipset has many advantages, some disadvantages are that you will
# no longer see packet and byte counts against IPs and it makes identifying
# blocked/allowed IPs that little bit harder
#
# Note: If you mainly use IP address only entries in csf.deny, you can increase
# the value of DENY_IP_LIMIT significantly if you wish
#
# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ
# containers even if it has been installed
#
# If you find any problems, please post on forums.configserver.com with full
# details of the issue
LF_IPSET = "0"
# Versions of iptables greater or equal to v1.4.20 should support the --wait
# option. This forces iptables commands that use the option to wait until a
# lock by any other process using iptables completes, rather than simply
# failing
#
# Enabling this feature will add the --wait option to iptables commands
#
# NOTE: The disadvantage of using this option is that any iptables command that
# uses it will hang until the lock is released. This could cause a cascade of
# hung processes trying to issue iptables commands. To try and avoid this issue
# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger
# a failure if reached
WAITLOCK = "1"
WAITLOCK_TIMEOUT = "300"
# The following sets the hashsize for ipset sets, which must be a power of 2.
#
# Note: Increasing this value will consume more memory for all sets
# Default: "1024"
LF_IPSET_HASHSIZE = "1024"
# The following sets the maxelem for ipset sets.
#
# Note: Increasing this value will consume more memory for all sets
# Default: "65536"
LF_IPSET_MAXELEM = "65536"
# If you enable this option then whenever a CLI request to restart csf is used
# lfd will restart csf instead within LF_PARSE seconds
#
# This feature can be helpful for restarting configurations that cannot use
# FASTSTART
LFDSTART = "0"
# Enable verbose output of iptables commands
VERBOSE = "1"
# Drop out of order packets and packets in an INVALID state in iptables
# connection tracking
PACKET_FILTER = "1"
# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)
LF_LOOKUPS = "1"
# Custom styling is possible in the csf UI. See the readme.txt for more
# information under "UI skinning and Mobile View"
#
# This option enables the use of custom styling. If the styling fails to work
# correctly, e.g. custom styling does not take into account a change in the
# standard csf UI, then disabling this option will return the standard UI
STYLE_CUSTOM = "0"
# This option disables the presence of the Mobile View in the csf UI
STYLE_MOBILE = "1"
###############################################################################
# SECTION:SMTP Settings
###############################################################################
# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
# to use the exim/sendmail binary instead of sockets access). This replaces the
# protection as WHM > Tweak Settings > SMTP Tweaks
#
# This option uses the iptables ipt_owner/xt_owner module and must be loaded
# for it to work. It may not be available on some VPS platforms
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
SMTP_BLOCK = "0"
# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
# on the server (e.g. for webmail or web scripts) then enable this option to
# allow outgoing SMTP connections to the loopback device
SMTP_ALLOWLOCAL = "1"
# This option redirects outgoing SMTP connections destined for remote servers
# for non-bypass users to the local SMTP server to force local relaying of
# email. Such email may require authentication (SMTP AUTH)
SMTP_REDIRECT = "0"
# This is a comma separated list of the ports to block. You should list all
# ports that exim is configured to listen on
SMTP_PORTS = "25,465,587"
# Always allow the following comma separated users and groups to bypass
# SMTP_BLOCK
#
# Note: root (UID:0) is always allowed
SMTP_ALLOWUSER = ""
SMTP_ALLOWGROUP = "mail,mailman"
# This option will only allow SMTP AUTH to be advertised to the IP addresses
# listed in /etc/csf/csf.smtpauth on EXIM mail servers
#
# The additional option CC_ALLOW_SMTPAUTH can be used with this option to
# additionally restrict access to specific countries
#
# This is to help limit attempts at distributed attacks against SMTP AUTH which
# are difficult to achive since port 25 needs to be open to relay email
#
# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
# connection, then SMTP AUTH will not accept logins, defeating the attacks
# without restricting mail relaying
#
# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
# that the lookup file in /etc/exim.smtpauth is regenerated from the
# information from /etc/csf/csf.smtpauth plus any countries listed in
# CC_ALLOW_SMTPAUTH
#
# NOTE: To make this option work you MUST make the modifications to exim.conf
# as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
# after enabling the option here, otherwise this option will not work
#
# To enable this option, set to 1 and make the exim configuration changes
# To disable this option, set to 0 and undo the exim configuration changes
SMTPAUTH_RESTRICT = "0"
###############################################################################
# SECTION:Port Flood Settings
###############################################################################
# Enable SYN Flood Protection. This option configures iptables to offer some
# protection from tcp SYN packet DOS attempts. You should set the RATE so that
# false-positives are kept to a minimum otherwise visitors may see connection
# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
# man page for the correct --limit rate syntax
#
# Note: This option should ONLY be enabled if you know you are under a SYN
# flood attack as it will slow down all new connections from any IP address to
# the server if triggered
SYNFLOOD = "0"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
# Connection Limit Protection. This option configures iptables to offer more
# protection from DOS attacks against specific ports. It can also be used as a
# way to simply limit resource usage by IP address to specific server services.
# This option limits the number of concurrent new connections per IP address
# that can be made to specific ports
#
# This feature does not work on servers that do not have the iptables module
# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
# server admins should check with their VPS host provider that the iptables
# module is included
#
# For further information and syntax refer to the Connection Limit Protection
# section of the csf readme.txt
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
CONNLIMIT = ""
# Port Flood Protection. This option configures iptables to offer protection
# from DOS attacks against specific ports. This option limits the number of
# new connections per time interval that can be made to specific ports
#
# This feature does not work on servers that do not have the iptables module
# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
# server admins should check with their VPS host provider that the iptables
# module is included
#
# For further information and syntax refer to the Port Flood Protection
# section of the csf readme.txt
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
PORTFLOOD = "22;tcp;10;300,80;tcp;200;5,443;tcp;200;5"
# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
# These typically originate from exploit scripts uploaded through vulnerable
# web scripts. Care should be taken on servers that use services that utilise
# high levels of UDP outbound traffic, such as SNMP, so you may need to alter
# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
#
# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
UDPFLOOD = "0"
UDPFLOOD_LIMIT = "100/s"
UDPFLOOD_BURST = "500"
# This is a list of usernames that should not be rate limited, such as "named"
# to prevent bind traffic from being limited.
#
# Note: root (UID:0) is always allowed
UDPFLOOD_ALLOWUSER = "named"
###############################################################################
# SECTION:Logging Settings
###############################################################################
# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
# perl module Sys::Syslog installed to use this feature
SYSLOG = "0"
# Drop target for incoming iptables rules. This can be set to either DROP or
# REJECT. REJECT will send back an error packet, DROP will not respond at all.
# REJECT is more polite, however it does provide extra information to a hacker
# and lets them know that a firewall is blocking their attempts. DROP hangs
# their connection, thereby frustrating attempts to port scan the server
DROP = "DROP"
# Drop target for outgoing iptables rules. This can be set to either DROP or
# REJECT as with DROP, however as such connections are from this server it is
# better to REJECT connections to closed ports rather than to DROP them. This
# helps to immediately free up server resources rather than tying them up until
# a connection times out. It also tells the process making the connection that
# it has immediately failed
#
# It is possible that some monolithic kernels may not support the REJECT
# target. If this is the case, csf checks before using REJECT and falls back to
# using DROP, issuing a warning to set this to DROP instead
DROP_OUT = "REJECT"
# Enable logging of dropped connections to blocked ports to syslog, usually
# /var/log/messages. This option needs to be enabled to use Port Scan Tracking
DROP_LOGGING = "1"
# Enable logging of dropped incoming connections from blocked IP addresses
#
# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
DROP_IP_LOGGING = "0"
# Enable logging of dropped outgoing connections
#
# Note: Only outgoing SYN packets for TCP connections are logged, other
# protocols log all packets
#
# We recommend that you enable this option
DROP_OUT_LOGGING = "1"
# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting
# out (where available) which can help track abuse
DROP_UID_LOGGING = "1"
# Only log incoming reserved port dropped connections (0:1023). This can reduce
# the amount of log noise from dropped connections, but will affect options
# such as Port Scan Tracking (PS_INTERVAL)
DROP_ONLYRES = "0"
# Commonly blocked ports that you do not want logging as they tend to just fill
# up the log file. These ports are specifically blocked (applied to TCP and UDP
# protocols) for incoming connections
DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"
# Log packets dropped by the packet filtering option PACKET_FILTER
DROP_PF_LOGGING = "0"
# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
# addresses breaking the Connection Limit Protection will be blocked
CONNLIMIT_LOGGING = "0"
# Enable logging of UDP floods. This should be enabled, especially with User ID
# Tracking enabled
UDPFLOOD_LOGGING = "1"
# Send an alert if log file flooding is detected which causes lfd to skip log
# lines to prevent lfd from looping. If this alert is sent you should check the
# reported log file for the reason for the flooding
LOGFLOOD_ALERT = "0"
###############################################################################
# SECTION:Reporting Settings
###############################################################################
# By default, lfd will send alert emails using the relevant alert template to
# the To: address configured within that template. Setting the following
# option will override the configured To: field in all lfd alert emails
#
# Leave this option empty to use the To: field setting in each alert template
LF_ALERT_TO = ""
# By default, lfd will send alert emails using the relevant alert template from
# the From: address configured within that template. Setting the following
# option will override the configured From: field in all lfd alert emails
#
# Leave this option empty to use the From: field setting in each alert template
LF_ALERT_FROM = ""
# By default, lfd will send all alerts using the SENDMAIL binary. To send using
# SMTP directly, you can set the following to a relaying SMTP server, e.g.
# "127.0.0.1". Leave this setting blank to use SENDMAIL
LF_ALERT_SMTP = ""
# Block Reporting. lfd can run an external script when it performs and IP
# address block following for example a login failure. The following setting
# is to the full path of the external script which must be executable. See
# readme.txt for format details
#
# Leave this setting blank to disable
BLOCK_REPORT = ""
# To also run an external script when a temporary block is unblocked. The
# following setting can be the full path of the external script which must be
# executable. See readme.txt for format details
#
# Leave this setting blank to disable
UNBLOCK_REPORT = ""
# In addition to the standard lfd email alerts, you can additionally enable the
# sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only
# block alert messages will be sent. The reports use our schema at:
# https://download.configserver.com/abuse_login-attack_0.2.json
#
# These reports are in a format accepted by many Netblock owners and should
# help them investigate abuse. This option is not designed to automatically
# forward these reports to the Netblock owners and should be checked for
# false-positive blocks before reporting
#
# If available, the report will also include the abuse contact for the IP from
# the Abusix Contact DB: https://abusix.com/contactdb.html
#
# Note: The following block types are not reported through this feature:
# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
X_ARF = "0"
# By default, lfd will send emails from the root forwarder. Setting the
# following option will override this
X_ARF_FROM = ""
# By default, lfd will send emails to the root forwarder. Setting the following
# option will override this
X_ARF_TO = ""
# If you want to automatically send reports to the abuse contact where found,
# you can enable the following option
#
# Note: You MUST set X_ARF_FROM to a valid email address for this option to
# work. This is so that the abuse contact can reply to the report
#
# However, you should be aware that without manual checking you could be
# reporting innocent IP addresses, including your own clients, yourself and
# your own servers
#
# Additionally, just because a contact address is found, does not mean that
# there is anyone on the end of it reading, processing or acting on such
# reports and you could conceivably reported for sending spam
#
# We do not recommend enabling this option. Abuse reports should be checked and
# verified before being forwarded to the abuse contact
X_ARF_ABUSE = "0"
###############################################################################
# SECTION:Temp to Perm/Netblock Settings
###############################################################################
# Temporary to Permanent IP blocking. The following enables this feature to
# permanently block IP addresses that have been temporarily blocked more than
# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
# LF_PERMBLOCK to "1" to enable this feature
#
# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
# (TTL) for blocked IPs, to be effective
#
# Set LF_PERMBLOCK to "0" to disable this feature
LF_PERMBLOCK = "1"
LF_PERMBLOCK_INTERVAL = "86400"
LF_PERMBLOCK_COUNT = "4"
LF_PERMBLOCK_ALERT = "1"
# Permanently block IPs by network class. The following enables this feature
# to permanently block classes of IP address where individual IP addresses
# within the same class LF_NETBLOCK_CLASS have already been blocked more than
# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
# LF_NETBLOCK to "1" to enable this feature
#
# This can be an affective way of blocking DDOS attacks launched from within
# the same network class
#
# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
# consideration is required when blocking network classes A or B
#
# Set LF_NETBLOCK to "0" to disable this feature
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
LF_NETBLOCK_ALERT = "1"
# Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24"
# Great care should be taken with IPV6 netblock ranges due to the large number
# of addresses involved
#
# To disable IPv6 netblocks set to ""
LF_NETBLOCK_IPV6 = ""
###############################################################################
# SECTION:Global Lists/DYNDNS/Blocklists
###############################################################################
# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
# chain, then flush and delete the old dynamic chain and rename the new chain.
#
# This prevents a small window of opportunity opening when an update occurs and
# the dynamic chain is flushed for the new rules.
#
# This option should not be enabled on servers with long dynamic chains (e.g.
# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
# Virtuozzo VPS servers with a restricted numiptent value. This is because each
# chain will effectively be duplicated while the update occurs, doubling the
# number of iptables rules
SAFECHAINUPDATE = "0"
# If you wish to allow access from dynamic DNS records (for example if your IP
# address changes whenever you connect to the internet but you have a dedicated
# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
# records in csf.dyndns and then set the following to the number of seconds to
# poll for a change in the IP address. If the IP address has changed iptables
# will be updated.
#
# If the FQDN has multiple A records then all of the IP addresses will be
# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
# also be allowed.
#
# A setting of 600 would check for IP updates every 10 minutes. Set the value
# to 0 to disable the feature
DYNDNS = "0"
# To always ignore DYNDNS IP addresses in lfd blocking, set the following
# option to 1
DYNDNS_IGNORE = "0"
# The follow Global options allow you to specify a URL where csf can grab a
# centralised copy of an IP allow or deny block list of your own. You need to
# specify the full URL in the following options, i.e.:
# http://www.somelocation.com/allow.txt
#
# The actual retrieval of these IP's is controlled by lfd, so you need to set
# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
# will perform the retrieval when it runs and then again at the specified
# interval. A sensible interval would probably be every 3600 seconds (1 hour).
# A minimum value of 300 is enforced for LF_GLOBAL if enabled
#
# You do not have to specify both an allow and a deny file
#
# You can also configure a global ignore file for IP's that lfd should ignore
LF_GLOBAL = "0"
GLOBAL_ALLOW = ""
GLOBAL_DENY = ""
GLOBAL_IGNORE = ""
# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
# this to the URL of the file containing DYNDNS entries
GLOBAL_DYNDNS = ""
# Set the following to the number of seconds to poll for a change in the IP
# address resoved from GLOBAL_DYNDNS
GLOBAL_DYNDNS_INTERVAL = "600"
# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
# option to 1
GLOBAL_DYNDNS_IGNORE = "0"
# Blocklists are controlled by modifying /etc/csf/csf.blocklists
#
# If you don't want BOGON rules applied to specific NICs, then list them in
# a comma separated list (e.g "eth1,eth2")
LF_BOGON_SKIP = ""
# The following option can be used to select either HTTP::Tiny or
# LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than
# LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may
# have to be installed manually, but it can better support https:// URL's
# which also needs the LWP::Protocol::https perl module
#
# For example:
#
# On rpm based systems:
#
# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
#
# On APT based systems:
#
# apt-get install libwww-perl liblwp-protocol-https-perl
#
# Via cpan:
#
# perl -MCPAN -eshell
# cpan> install LWP LWP::Protocol::https
#
# We recommend setting this set to "2" as upgrades to csf will be performed
# over SSL to https://download.configserver.com
#
# "1" = HTTP::Tiny
# "2" = LWP::UserAgent
URLGET = "2"
###############################################################################
# SECTION:Country Code Lists and Settings
###############################################################################
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# MaxMind GeoLite2 Country database at:
# https://dev.MaxMind.com/geoip/geoip2/geolite2/
# This feature relies entirely on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
#
# Additionally, ASN numbers can also be added to the comma separated lists
# below that also list Country Codes. The same WARNINGS for Country Codes apply
# to the use of ASNs. More about Autonomous System Numbers (ASN):
# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
#
# You should consider using LF_IPSET when using any of the following options
#
# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# WARNING: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# WARNING: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
# preferred
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""
# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER = ""
# This option allows access from the following countries to specific ports
# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
#
# Note: The rules for this feature are inserted after the allow and deny
# rules to still allow blocking of IP addresses
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_ALLOW_PORTS = ""
# All listed ports should be removed from TCP_IN/UDP_IN to block access from
# elsewhere. This option uses the same format as TCP_IN/UDP_IN
#
# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
# then only counties listed in CC_ALLOW_PORTS can access FTP
CC_ALLOW_PORTS_TCP = ""
CC_ALLOW_PORTS_UDP = ""
# This option denies access from the following countries to specific ports
# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
#
# Note: The rules for this feature are inserted after the allow and deny
# rules to still allow allowing of IP addresses
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY_PORTS = ""
# This option uses the same format as TCP_IN/UDP_IN. The ports listed should
# NOT be removed from TCP_IN/UDP_IN
#
# An example would be to list port 21 here then counties listed in
# CC_DENY_PORTS cannot access FTP
CC_DENY_PORTS_TCP = ""
CC_DENY_PORTS_UDP = ""
# This Country Code list will prevent lfd from blocking IP address hits for the
# listed CC's
#
# CC_LOOKUPS must be enabled to use this option
CC_IGNORE = ""
# This Country Code list will only allow SMTP AUTH to be advertised to the
# listed countries in EXIM. This is to help limit attempts at distributed
# attacks against SMTP AUTH which are difficult to achive since port 25 needs
# to be open to relay email
#
# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
# connection, then SMTP AUTH will not accept logins, defeating the attacks
# without restricting mail relaying
#
# This option can generate a very large list of IP addresses that could easily
# severely impact on SMTP (mail) performance, so care must be taken when
# selecting countries and if performance issues ensue
#
# The option SMTPAUTH_RESTRICT must be enabled to use this option
CC_ALLOW_SMTPAUTH = ""
# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
# help reduce the number of CC entries and may improve iptables throughput.
# Obviously, this will deny/allow fewer IP addresses depending on how small you
# configure the option
#
# For example, to ignore all CIDR (and single IP) entries small than a /16, set
# this option to "16". Set to "" to block all CC IP addresses
CC_DROP_CIDR = ""
# Display Country Code and Country for reported IP addresses. This option can
# be configured to use the MaxMind Country Database or the more detailed (and
# much larger and therefore slower) MaxMind City Database. An additional option
# is also available if you cannot use the MaxMind databases
#
# "0" - disable
# "1" - Reports: Country Code and Country
# "2" - Reports: Country Code and Country and Region and City
# "3" - Reports: Country Code and Country and Region and City and ASN
# "4" - Reports: Country Code and Country and Region and City (freegeoip.net)
#
# Note: "4" does not use the MaxMind databases directly for lookups. Instead it
# uses a URL-based lookup from a third-party provider at https://freegeoip.net
# and so avoids having to download and process the large databases. Please
# visit the https://freegeoip.net and read their limitations and respect that
# this option will either cease to function or be removed by us if that site is
# abused or overloaded. ONLY use this option if you have difficulties using the
# MaxMind databases. This option is ONLY for IP lookups, NOT when using the
# CC_* options above, which will continue to use the MaxMind databases
#
CC_LOOKUPS = "1"
# Display Country Code and Country for reported IPv6 addresses using the
# MaxMind Country IPv6 Database
#
# "0" - disable
# "1" - enable and report the detail level as specified in CC_LOOKUPS
#
# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and
# PORTFLOOD
CC6_LOOKUPS = "0"
# This option tells lfd how often to retrieve the MaxMind GeoLite2 Country
# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
# days)
CC_INTERVAL = "14"
nginx.conf 配置如下
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
client_max_body_size 8m; #允许客户端请求的最大单文件字节数
client_body_buffer_size 2m; #缓冲区代理缓冲用户端请求的最大字节
gzip on;
#WAF
lua_shared_dict limit 50m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
server {
listen 127.0.0.1;
server_name mywebsiteip.com;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.php index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
补充剩下的配置文件