H5W3
当前位置:H5W3 > 其他技术问题 > 正文

【nginx】站点刷新ip(网页页面)后,时不时的会出现403 forbidden,10秒钟左右,刷新又可以正常访问

站点可以正常访问的,nginx+php7,自己在测试网站的性能,发现刷新ip(每个网页页面)后,时不时的会出现403 forbidden,10秒钟(左右)后,刷新该页面又可以正常访问了。自己安装了csf防火墙,怀疑自己csf防火墙的规则是不是配置错了,请同学们看看,应该修改哪里?

ps:配置文件内容超出sf限制,贴出前面部分

###############################################################################
# SECTION:Initial Settings
###############################################################################
# Testing flag - enables a CRON job that clears iptables incase of
# configuration problems when you start csf. This should be enabled until you
# are sure that the firewall works - i.e. incase you get locked out of your
# server! Then do remember to set it to 0 and restart csf when you're sure
# everything is OK. Stopping csf will remove the line from /etc/crontab
#
# lfd will not start while this is enabled
TESTING = "0"
# The interval for the crontab in minutes. Since this uses the system clock the
# CRON job will run at the interval past the hour and not from when you issue
# the start command. Therefore an interval of 5 minutes means the firewall
# will be cleared in 0-5 minutes from the firewall start
TESTING_INTERVAL = "5"
# SECURITY WARNING
# ================
#
# Unfortunately, syslog and rsyslog allow end-users to log messages to some
# system logs via the same unix socket that other local services use. This
# means that any log line shown in these system logs that syslog or rsyslog
# maintain can be spoofed (they are exactly the same as real log lines).
#
# Since some of the features of lfd rely on such log lines, spoofed messages
# can cause false-positive matches which can lead to confusion at best, or
# blocking of any innocent IP address or making the server inaccessible at
# worst.
#
# Any option that relies on the log entries in the files listed in
# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
# vulnerable to exploitation by end-users and scripts run by end-users.
#
# NOTE: Not all log files are affected as they may not use syslog/rsyslog
#
# The option RESTRICT_SYSLOG disables all these features that rely on affected
# logs. These options are:
# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
# PORTKNOCKING_ALERT
#
# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
#
# The following options are still enabled by default on new installations so
# that, on balance, csf/lfd still provides expected levels of security:
# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
#
# If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
# above, it should be done with the knowledge that any of the those options
# that are enabled could be triggered by spoofed log lines and lead to the
# server being inaccessible in the worst case. If you do not want to take that
# risk you should set RESTRICT_SYSLOG to "1" and those features will not work
# but you will not be protected from the exploits that they normally help block
#
# The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access
# the syslog/rsyslog unix socket.
#
# For further advice on how to help mitigate these issues, see
# /etc/csf/readme.txt
#
# 0 = Allow those options listed above to be used and configured
# 1 = Disable all the options listed above and prevent them from being used
# 2 = Disable only alerts about this feature and do nothing else
# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
RESTRICT_SYSLOG = "0"
# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
# write access to the syslog/rsyslog unix socket(s). The group must not already
# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
# to a unique name for the server
#
# You can add users to this group by changing /etc/csf/csf.syslogusers and then
# restarting lfd afterwards. This will create the system group and add the
# users from csf.syslogusers if they exist to that group and will change the
# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be
# monitored and the permissions re-applied should syslog/rsyslog be restarted
#
# Using this option will prevent some legitimate logging, e.g. end-user cron
# job logs
#
# If you want to revert RESTRICT_SYSLOG to another option and disable this
# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then
# syslog/rsyslog and the unix sockets will be reset
RESTRICT_SYSLOG_GROUP = "mysyslog"
# This options restricts the ability to modify settings within this file from
# the csf UI. Should the parent control panel be compromised, these restricted
# options could be used to further compromise the server. For this reason we
# recommend leaving this option set to at least "1" and if any of the
# restricted items need to be changed, they are done so from the root shell
#
# 0 = Unrestricted UI
# 1 = Restricted UI
# 2 = Disabled UI
RESTRICT_UI = "1"
# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
# runs once per day to see if there is an update to csf+lfd and upgrades if
# available and restarts csf and lfd
#
# You should check for new version announcements at http://blog.configserver.com
AUTO_UPDATES = "1"
###############################################################################
# SECTION:IPv4 Port Settings
###############################################################################
# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).
# Some kernel/iptables setups do not perform stateful connection tracking
# correctly (typically some virtual servers or custom compiled kernels), so a
# SPI firewall will not function correctly. If this happens, LF_SPI can be set
# to 0 to reconfigure csf as a static firewall.
#
# As connection tracking will not be configured, applications that rely on it
# will not function unless all outgoing ports are opened. Therefore, all
# outgoing connections will be allowed once all other tests have completed. So
# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
#
# If you allow incoming DNS lookups you may need to use the following
# directive in the options{} section of your named.conf:
#
#        query-source port 53;
#
# This will force incoming DNS traffic only through port 53
#
# Disabling this option will break firewall functionality that relies on
# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall
# less secure
#
# This option should be set to "1" in all other circumstances
LF_SPI = "1"
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,3306"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,3306"
# Allow incoming UDP ports
UDP_IN = "20,21,53"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123"
# Allow incoming PING. Disabling PING will likely break external uptime
# monitoring
ICMP_IN = "1"
# Set the per IP address incoming ICMP packet rate for PING requests. This
# ratelimits PING requests which if exceeded results in silently rejected
# packets. Disable or increase this value if you are seeing PING drops that you
# do not want
#
# To disable rate limiting set to "0", otherwise set according to the iptables
# documentation for the limit module. For example, "1/s" will limit to one
# packet per second
ICMP_IN_RATE = "1/s"
# Allow outgoing PING
#
# Unless there is a specific reason, this option should NOT be disabled as it
# could break OS functionality
ICMP_OUT = "1"
# Set the per IP address outgoing ICMP packet rate for PING requests. This
# ratelimits PING requests which if exceeded results in silently rejected
# packets. Disable or increase this value if you are seeing PING drops that you
# do not want
#
# Unless there is a specific reason, this option should NOT be enabled as it
# could break OS functionality
#
# To disable rate limiting set to "0", otherwise set according to the iptables
# documentation for the limit module. For example, "1/s" will limit to one
# packet per second
ICMP_OUT_RATE = "0"
# For those with PCI Compliance tools that state that ICMP timestamps (type 13)
# should be dropped, you can enable the following option. Otherwise, there
# appears to be little evidence that it has anything to do with a security risk
# and can impact network performance, so should be left disabled by everyone
# else
ICMP_TIMESTAMPDROP = "0"
###############################################################################
# SECTION:IPv6 Port Settings
###############################################################################
# IPv6: (Requires ip6tables)
#
# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
#
# Supported:
# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS,
# SYNFLOOD, LF_NETBLOCK
#
# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled
# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,
# CC_ALLOW_SMTPAUTH
#
# Supported if ip6tables >= 1.4.3:
# PORTFLOOD, CONNLIMIT
#
# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is
# installed:
# MESSENGER DOCKER SMTP_REDIRECT
#
# Not supported:
# ICMP_IN, ICMP_OUT
#
IPV6 = "1"
# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
# traffic in the INPUT and OUTPUT chains. However, this could increase the risk
# of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
# connection types
IPV6_ICMP_STRICT = "0"
# Pre v2.6.20 kernel must set this option to "0" as no working state module is
# present, so a static firewall is configured as a fallback
#
# A workaround has been added for CentOS/RedHat v5 and custom kernels that do
# not support IPv6 connection tracking by opening ephemeral port range
# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
# same workaround implemented by RedHat in the sample default IPv6 rules
#
# As connection tracking will not be configured, applications that rely on it
# will not function unless all outgoing ports are opened. Therefore, all
# outgoing connections will be allowed once all other tests have completed. So
# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.
#
# If you allow incoming ipv6 DNS lookups you may need to use the following
# directive in the options{} section of your named.conf:
#
#        query-source-v6 port 53;
#
# This will force ipv6 incoming DNS traffic only through port 53
#
# These changes are not necessary if the SPI firewall is used
IPV6_SPI = "1"
# Allow incoming IPv6 TCP ports
TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,3306"
# Allow outgoing IPv6 TCP ports
TCP6_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,3306"
# Allow incoming IPv6 UDP ports
UDP6_IN = "20,21,53"
# Allow outgoing IPv6 UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP6_OUT = "20,21,53,113,123"
###############################################################################
# SECTION:General Settings
###############################################################################
# By default, csf will auto-configure iptables to filter all traffic except on
# the loopback device. If you only want iptables rules applied to a specific
# NIC, then list it here (e.g. eth1, or eth+)
ETH_DEVICE = ""
# By adding a device to this option, ip6tables can be configured only on the
# specified device. Otherwise, ETH_DEVICE and then the default setting will be
# used
ETH6_DEVICE = ""
# If you don't want iptables rules applied to specific NICs, then list them in
# a comma separated list (e.g "eth1,eth2")
ETH_DEVICE_SKIP = ""
# This option should be enabled unless the kernel does not support the
# "conntrack" module
#
# To use the deprecated iptables "state" module, change this to 0
USE_CONNTRACK = "1"
# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)
# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper
# This will also remove the RELATED target from the global state iptables rule
#
# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or
# the raw tables do not exist. The USE_CONNTRACK option should be enabled
#
# To enable this option, set it to your FTP server listening port number
# (normally 21), do NOT set it to "1"
USE_FTPHELPER = "0"
# Check whether syslog is running. Many of the lfd checks require syslog to be
# running correctly. This test will send a coded message to syslog every
# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded
# message. If it fails to do so within SYSLOG_CHECK seconds an alert using
# syslogalert.txt is sent
#
# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable
SYSLOG_CHECK = "0"
# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses
# listed in csf.allow in addition to csf.ignore (the default). This option
# should be used with caution as it would mean that IP's allowed through the
# firewall from infected PC's could launch attacks on the server that lfd
# would ignore
IGNORE_ALLOW = "1"
# Enable the following option if you want to apply strict iptables rules to DNS
# traffic (i.e. relying on iptables connection tracking). Enabling this option
# could cause DNS resolution issues both to and from the server but could help
# prevent abuse of the local DNS server
DNS_STRICT = "0"
# Enable the following option if you want to apply strict iptables rules to DNS
# traffic between the server and the nameservers listed in /etc/resolv.conf
# Enabling this option could cause DNS resolution issues both to and from the
# server but could help prevent abuse of the local DNS server
DNS_STRICT_NS = "0"
# Limit the number of IP's kept in the /etc/csf/csf.deny file
#
# Care should be taken when increasing this value on servers with low memory
# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
# thousands) can sometimes cause network slowdown
#
# The value set here is the maximum number of IPs/CIDRs allowed
# if the limit is reached, the entries will be rotated so that the oldest
# entries (i.e. the ones at the top) will be removed and the latest is added.
# The limit is only checked when using csf -d (which is what lfd also uses)
# Set to 0 to disable limiting
#
# For implementations wishing to set this value significantly higher, we
# recommend using the IPSET option
DENY_IP_LIMIT = "200"
# Limit the number of IP's kept in the temprary IP ban list. If the limit is
# reached the oldest IP's in the ban list will be removed and allowed
# regardless of the amount of time remaining for the block
# Set to 0 to disable limiting
DENY_TEMP_IP_LIMIT = "100"
# Enable login failure detection daemon (lfd). If set to 0 none of the
# following settings will have any effect as the daemon won't start.
LF_DAEMON = "1"
# Check whether csf appears to have been stopped and restart if necessary,
# unless TESTING is enabled above. The check is done every 300 seconds
LF_CSF = "1"
# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
# IP6TABLES_RESTORE in two ways:
#
# 1. On a clean server reboot the entire csf iptables configuration is saved
#    and then restored where possible to provide a near instant firewall
#    startup[*]
#
# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
#    BOGON, TOR are loaded using this method in a fraction of the time than if
#    this setting is disabled
#
# [*]Not supported on all OS platforms
#
# Set to "0" to disable this functionality
FASTSTART = "1"
# This option allows you to use ipset v6+ for the following csf options:
# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER
#
# ipset will only be used with the above options when listing IPs and CIDRs.
# Advanced Allow Filters and temporary blocks use traditional iptables
#
# Using ipset moves the onus of ip matching against large lists away from
# iptables rules and to a purpose built and optimised database matching
# utility. It also simplifies the switching in of updated lists
#
# To use this option you must have a fully functioning installation of ipset
# installed either via rpm or source from http://ipset.netfilter.org/
#
# Note: Using ipset has many advantages, some disadvantages are that you will
# no longer see packet and byte counts against IPs and it makes identifying
# blocked/allowed IPs that little bit harder
#
# Note: If you mainly use IP address only entries in csf.deny, you can increase
# the value of DENY_IP_LIMIT significantly if you wish
#
# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ
# containers even if it has been installed
#
# If you find any problems, please post on forums.configserver.com with full
# details of the issue
LF_IPSET = "0"
# Versions of iptables greater or equal to v1.4.20 should support the --wait
# option. This forces iptables commands that use the option to wait until a
# lock by any other process using iptables completes, rather than simply
# failing
#
# Enabling this feature will add the --wait option to iptables commands
#
# NOTE: The disadvantage of using this option is that any iptables command that
# uses it will hang until the lock is released. This could cause a cascade of
# hung processes trying to issue iptables commands. To try and avoid this issue
# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger
# a failure if reached
WAITLOCK = "1"
WAITLOCK_TIMEOUT = "300"
# The following sets the hashsize for ipset sets, which must be a power of 2.
#
# Note: Increasing this value will consume more memory for all sets
# Default: "1024"
LF_IPSET_HASHSIZE = "1024"
# The following sets the maxelem for ipset sets.
#
# Note: Increasing this value will consume more memory for all sets
# Default: "65536"
LF_IPSET_MAXELEM = "65536"
# If you enable this option then whenever a CLI request to restart csf is used
# lfd will restart csf instead within LF_PARSE seconds
#
# This feature can be helpful for restarting configurations that cannot use
# FASTSTART
LFDSTART = "0"
# Enable verbose output of iptables commands
VERBOSE = "1"
# Drop out of order packets and packets in an INVALID state in iptables
# connection tracking
PACKET_FILTER = "1"
# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)
LF_LOOKUPS = "1"
# Custom styling is possible in the csf UI. See the readme.txt for more
# information under "UI skinning and Mobile View"
#
# This option enables the use of custom styling. If the styling fails to work
# correctly, e.g. custom styling does not take into account a change in the
# standard csf UI, then disabling this option will return the standard UI
STYLE_CUSTOM = "0"
# This option disables the presence of the Mobile View in the csf UI
STYLE_MOBILE = "1"
###############################################################################
# SECTION:SMTP Settings
###############################################################################
# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
# to use the exim/sendmail binary instead of sockets access). This replaces the
# protection as WHM > Tweak Settings > SMTP Tweaks
#
# This option uses the iptables ipt_owner/xt_owner module and must be loaded
# for it to work. It may not be available on some VPS platforms
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
SMTP_BLOCK = "0"
# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
# on the server (e.g. for webmail or web scripts) then enable this option to
# allow outgoing SMTP connections to the loopback device
SMTP_ALLOWLOCAL = "1"
# This option redirects outgoing SMTP connections destined for remote servers
# for non-bypass users to the local SMTP server to force local relaying of
# email. Such email may require authentication (SMTP AUTH)
SMTP_REDIRECT = "0"
# This is a comma separated list of the ports to block. You should list all
# ports that exim is configured to listen on
SMTP_PORTS = "25,465,587"
# Always allow the following comma separated users and groups to bypass
# SMTP_BLOCK
#
# Note: root (UID:0) is always allowed
SMTP_ALLOWUSER = ""
SMTP_ALLOWGROUP = "mail,mailman"
# This option will only allow SMTP AUTH to be advertised to the IP addresses
# listed in /etc/csf/csf.smtpauth on EXIM mail servers
#
# The additional option CC_ALLOW_SMTPAUTH can be used with this option to
# additionally restrict access to specific countries
#
# This is to help limit attempts at distributed attacks against SMTP AUTH which
# are difficult to achive since port 25 needs to be open to relay email
#
# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
# connection, then SMTP AUTH will not accept logins, defeating the attacks
# without restricting mail relaying
#
# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
# that the lookup file in /etc/exim.smtpauth is regenerated from the
# information from /etc/csf/csf.smtpauth plus any countries listed in
# CC_ALLOW_SMTPAUTH
#
# NOTE: To make this option work you MUST make the modifications to exim.conf
# as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
# after enabling the option here, otherwise this option will not work
#
# To enable this option, set to 1 and make the exim configuration changes
# To disable this option, set to 0 and undo the exim configuration changes
SMTPAUTH_RESTRICT = "0"
###############################################################################
# SECTION:Port Flood Settings
###############################################################################
# Enable SYN Flood Protection. This option configures iptables to offer some
# protection from tcp SYN packet DOS attempts. You should set the RATE so that
# false-positives are kept to a minimum otherwise visitors may see connection
# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
# man page for the correct --limit rate syntax
#
# Note: This option should ONLY be enabled if you know you are under a SYN
# flood attack as it will slow down all new connections from any IP address to
# the server if triggered
SYNFLOOD = "0"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
# Connection Limit Protection. This option configures iptables to offer more
# protection from DOS attacks against specific ports. It can also be used as a
# way to simply limit resource usage by IP address to specific server services.
# This option limits the number of concurrent new connections per IP address
# that can be made to specific ports
#
# This feature does not work on servers that do not have the iptables module
# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
# server admins should check with their VPS host provider that the iptables
# module is included
#
# For further information and syntax refer to the Connection Limit Protection
# section of the csf readme.txt
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server

回答

剩下的csf.conf配置部分

CONNLIMIT = ""

# Port Flood Protection. This option configures iptables to offer protection
# from DOS attacks against specific ports. This option limits the number of
# new connections per time interval that can be made to specific ports
#
# This feature does not work on servers that do not have the iptables module
# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
# server admins should check with their VPS host provider that the iptables
# module is included
#
# For further information and syntax refer to the Port Flood Protection
# section of the csf readme.txt
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
PORTFLOOD = "22;tcp;5;300,80;tcp;500;5"

# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
# These typically originate from exploit scripts uploaded through vulnerable
# web scripts. Care should be taken on servers that use services that utilise
# high levels of UDP outbound traffic, such as SNMP, so you may need to alter
# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
#
# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
UDPFLOOD = "0"
UDPFLOOD_LIMIT = "100/s"
UDPFLOOD_BURST = "500"

# This is a list of usernames that should not be rate limited, such as "named"
# to prevent bind traffic from being limited.
#
# Note: root (UID:0) is always allowed
UDPFLOOD_ALLOWUSER = "named"

###############################################################################
# SECTION:Logging Settings
###############################################################################
# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
# perl module Sys::Syslog installed to use this feature
SYSLOG = "0"

# Drop target for incoming iptables rules. This can be set to either DROP or
# REJECT. REJECT will send back an error packet, DROP will not respond at all.
# REJECT is more polite, however it does provide extra information to a hacker
# and lets them know that a firewall is blocking their attempts. DROP hangs
# their connection, thereby frustrating attempts to port scan the server
DROP = "DROP"

# Drop target for outgoing iptables rules. This can be set to either DROP or
# REJECT as with DROP, however as such connections are from this server it is
# better to REJECT connections to closed ports rather than to DROP them. This
# helps to immediately free up server resources rather than tying them up until
# a connection times out. It also tells the process making the connection that
# it has immediately failed
#
# It is possible that some monolithic kernels may not support the REJECT
# target. If this is the case, csf checks before using REJECT and falls back to
# using DROP, issuing a warning to set this to DROP instead
DROP_OUT = "REJECT"

# Enable logging of dropped connections to blocked ports to syslog, usually
# /var/log/messages. This option needs to be enabled to use Port Scan Tracking
DROP_LOGGING = "1"

# Enable logging of dropped incoming connections from blocked IP addresses
#
# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
DROP_IP_LOGGING = "0"

# Enable logging of dropped outgoing connections
#
# Note: Only outgoing SYN packets for TCP connections are logged, other
# protocols log all packets
#
# We recommend that you enable this option
DROP_OUT_LOGGING = "1"

# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting
# out (where available) which can help track abuse
DROP_UID_LOGGING = "1"

# Only log incoming reserved port dropped connections (0:1023). This can reduce
# the amount of log noise from dropped connections, but will affect options
# such as Port Scan Tracking (PS_INTERVAL)
DROP_ONLYRES = "0"

# Commonly blocked ports that you do not want logging as they tend to just fill
# up the log file. These ports are specifically blocked (applied to TCP and UDP
# protocols) for incoming connections
DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"

# Log packets dropped by the packet filtering option PACKET_FILTER
DROP_PF_LOGGING = "0"

# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
# addresses breaking the Connection Limit Protection will be blocked
CONNLIMIT_LOGGING = "0"

# Enable logging of UDP floods. This should be enabled, especially with User ID
# Tracking enabled
UDPFLOOD_LOGGING = "1"

# Send an alert if log file flooding is detected which causes lfd to skip log
# lines to prevent lfd from looping. If this alert is sent you should check the
# reported log file for the reason for the flooding
LOGFLOOD_ALERT = "0"

###############################################################################
# SECTION:Reporting Settings
###############################################################################
# By default, lfd will send alert emails using the relevant alert template to
# the To: address configured within that template. Setting the following
# option will override the configured To: field in all lfd alert emails
#
# Leave this option empty to use the To: field setting in each alert template
LF_ALERT_TO = ""

# By default, lfd will send alert emails using the relevant alert template from
# the From: address configured within that template. Setting the following
# option will override the configured From: field in all lfd alert emails
#
# Leave this option empty to use the From: field setting in each alert template
LF_ALERT_FROM = ""

# By default, lfd will send all alerts using the SENDMAIL binary. To send using
# SMTP directly, you can set the following to a relaying SMTP server, e.g.
# "127.0.0.1". Leave this setting blank to use SENDMAIL
LF_ALERT_SMTP = ""

# Block Reporting. lfd can run an external script when it performs and IP
# address block following for example a login failure. The following setting
# is to the full path of the external script which must be executable. See
# readme.txt for format details
#
# Leave this setting blank to disable
BLOCK_REPORT = ""

# To also run an external script when a temporary block is unblocked. The
# following setting can be the full path of the external script which must be
# executable. See readme.txt for format details
#
# Leave this setting blank to disable
UNBLOCK_REPORT = ""

# In addition to the standard lfd email alerts, you can additionally enable the
# sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only
# block alert messages will be sent. The reports use our schema at:
# https://download.configserver.com/abuse_login-attack_0.2.json
#
# These reports are in a format accepted by many Netblock owners and should
# help them investigate abuse. This option is not designed to automatically
# forward these reports to the Netblock owners and should be checked for
# false-positive blocks before reporting
#
# If available, the report will also include the abuse contact for the IP from
# the Abusix Contact DB: https://abusix.com/contactdb.html
#
# Note: The following block types are not reported through this feature:
# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
X_ARF = "0"

# By default, lfd will send emails from the root forwarder. Setting the
# following option will override this
X_ARF_FROM = ""

# By default, lfd will send emails to the root forwarder. Setting the following
# option will override this
X_ARF_TO = ""

# If you want to automatically send reports to the abuse contact where found,
# you can enable the following option
#
# Note: You MUST set X_ARF_FROM to a valid email address for this option to
# work. This is so that the abuse contact can reply to the report
#
# However, you should be aware that without manual checking you could be
# reporting innocent IP addresses, including your own clients, yourself and
# your own servers
#
# Additionally, just because a contact address is found, does not mean that
# there is anyone on the end of it reading, processing or acting on such
# reports and you could conceivably reported for sending spam
#
# We do not recommend enabling this option. Abuse reports should be checked and
# verified before being forwarded to the abuse contact
X_ARF_ABUSE = "0"

###############################################################################
# SECTION:Temp to Perm/Netblock Settings
###############################################################################
# Temporary to Permanent IP blocking. The following enables this feature to
# permanently block IP addresses that have been temporarily blocked more than
# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
# LF_PERMBLOCK  to "1" to enable this feature
#
# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
# (TTL) for blocked IPs, to be effective
#
# Set LF_PERMBLOCK to "0" to disable this feature
LF_PERMBLOCK = "1"
LF_PERMBLOCK_INTERVAL = "86400"
LF_PERMBLOCK_COUNT = "4"
LF_PERMBLOCK_ALERT = "1"

# Permanently block IPs by network class. The following enables this feature
# to permanently block classes of IP address where individual IP addresses
# within the same class LF_NETBLOCK_CLASS have already been blocked more than
# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
# LF_NETBLOCK  to "1" to enable this feature
#
# This can be an affective way of blocking DDOS attacks launched from within
# the same network class
#
# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
# consideration is required when blocking network classes A or B
#
# Set LF_NETBLOCK to "0" to disable this feature
LF_NETBLOCK = "0"
LF_NETBLOCK_INTERVAL = "86400"
LF_NETBLOCK_COUNT = "4"
LF_NETBLOCK_CLASS = "C"
LF_NETBLOCK_ALERT = "1"

# Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24"
# Great care should be taken with IPV6 netblock ranges due to the large number
# of addresses involved
#
# To disable IPv6 netblocks set to ""
LF_NETBLOCK_IPV6 = ""

###############################################################################
# SECTION:Global Lists/DYNDNS/Blocklists
###############################################################################
# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
# chain, then flush and delete the old dynamic chain and rename the new chain.
#
# This prevents a small window of opportunity opening when an update occurs and
# the dynamic chain is flushed for the new rules.
#
# This option should not be enabled on servers with long dynamic chains (e.g.
# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
# Virtuozzo VPS servers with a restricted numiptent value. This is because each
# chain will effectively be duplicated while the update occurs, doubling the
# number of iptables rules
SAFECHAINUPDATE = "0"

# If you wish to allow access from dynamic DNS records (for example if your IP
# address changes whenever you connect to the internet but you have a dedicated
# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
# records in csf.dyndns and then set the following to the number of seconds to
# poll for a change in the IP address. If the IP address has changed iptables
# will be updated.
#
# If the FQDN has multiple A records then all of the IP addresses will be
# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
# also be allowed.
# 
# A setting of 600 would check for IP updates every 10 minutes. Set the value
# to 0 to disable the feature
DYNDNS = "0"

# To always ignore DYNDNS IP addresses in lfd blocking, set the following
# option to 1
DYNDNS_IGNORE = "0"

# The follow Global options allow you to specify a URL where csf can grab a
# centralised copy of an IP allow or deny block list of your own. You need to
# specify the full URL in the following options, i.e.:
# http://www.somelocation.com/allow.txt
#
# The actual retrieval of these IP's is controlled by lfd, so you need to set
# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
# will perform the retrieval when it runs and then again at the specified
# interval. A sensible interval would probably be every 3600 seconds (1 hour).
# A minimum value of 300 is enforced for LF_GLOBAL if enabled
#
# You do not have to specify both an allow and a deny file
#
# You can also configure a global ignore file for IP's that lfd should ignore
LF_GLOBAL = "0"

GLOBAL_ALLOW = ""
GLOBAL_DENY = ""
GLOBAL_IGNORE = ""

# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
# this to the URL of the file containing DYNDNS entries
GLOBAL_DYNDNS = ""

# Set the following to the number of seconds to poll for a change in the IP
# address resoved from GLOBAL_DYNDNS
GLOBAL_DYNDNS_INTERVAL = "600"

# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
# option to 1
GLOBAL_DYNDNS_IGNORE = "0"

# Blocklists are controlled by modifying /etc/csf/csf.blocklists
#
# If you don't want BOGON rules applied to specific NICs, then list them in
# a comma separated list (e.g "eth1,eth2")
LF_BOGON_SKIP = ""

# The following option can be used to select either HTTP::Tiny or
# LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than
# LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may
# have to be installed manually, but it can better support https:// URL's
# which also needs the LWP::Protocol::https perl module
#
# For example:
#
# On rpm based systems:
# 
#   yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
#
# On APT based systems:
#
#   apt-get install libwww-perl liblwp-protocol-https-perl
#
# Via cpan:
#
#   perl -MCPAN -eshell
#   cpan> install LWP LWP::Protocol::https
#
# We recommend setting this set to "2" as upgrades to csf will be performed
# over SSL to https://download.configserver.com
#
# "1" = HTTP::Tiny
# "2" = LWP::UserAgent
URLGET = "2"

###############################################################################
# SECTION:Country Code Lists and Settings
###############################################################################
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# MaxMind GeoLite2 Country database at:
# https://dev.MaxMind.com/geoip/geoip2/geolite2/
# This feature relies entirely on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
#
# Additionally, ASN numbers can also be added to the comma separated lists
# below that also list Country Codes. The same WARNINGS for Country Codes apply
# to the use of ASNs. More about Autonomous System Numbers (ASN):
# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
#
# You should consider using LF_IPSET when using any of the following options
#
# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# WARNING: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# WARNING: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
# preferred
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""

# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER = ""

# This option allows access from the following countries to specific ports
# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
#
# Note: The rules for this feature are inserted after the allow and deny
# rules to still allow blocking of IP addresses
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_ALLOW_PORTS = ""

# All listed ports should be removed from TCP_IN/UDP_IN to block access from
# elsewhere. This option uses the same format as TCP_IN/UDP_IN
#
# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
# then only counties listed in CC_ALLOW_PORTS can access FTP
CC_ALLOW_PORTS_TCP = ""
CC_ALLOW_PORTS_UDP = ""

# This option denies access from the following countries to specific ports
# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
#
# Note: The rules for this feature are inserted after the allow and deny
# rules to still allow allowing of IP addresses
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY_PORTS = ""

# This option uses the same format as TCP_IN/UDP_IN. The ports listed should
# NOT be removed from TCP_IN/UDP_IN
#
# An example would be to list port 21 here then counties listed in
# CC_DENY_PORTS cannot access FTP
CC_DENY_PORTS_TCP = ""
CC_DENY_PORTS_UDP = ""

# This Country Code list will prevent lfd from blocking IP address hits for the
# listed CC's
#
# CC_LOOKUPS must be enabled to use this option
CC_IGNORE = ""

# This Country Code list will only allow SMTP AUTH to be advertised to the
# listed countries in EXIM. This is to help limit attempts at distributed
# attacks against SMTP AUTH which are difficult to achive since port 25 needs
# to be open to relay email
#
# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
# connection, then SMTP AUTH will not accept logins, defeating the attacks
# without restricting mail relaying
#
# This option can generate a very large list of IP addresses that could easily
# severely impact on SMTP (mail) performance, so care must be taken when
# selecting countries and if performance issues ensue
#
# The option SMTPAUTH_RESTRICT must be enabled to use this option
CC_ALLOW_SMTPAUTH = ""

# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
# help reduce the number of CC entries and may improve iptables throughput.
# Obviously, this will deny/allow fewer IP addresses depending on how small you
# configure the option
#
# For example, to ignore all CIDR (and single IP) entries small than a /16, set
# this option to "16". Set to "" to block all CC IP addresses
CC_DROP_CIDR = ""

# Display Country Code and Country for reported IP addresses. This option can
# be configured to use the MaxMind Country Database or the more detailed (and
# much larger and therefore slower) MaxMind City Database. An additional option
# is also available if you cannot use the MaxMind databases
#
# "0" - disable
# "1" - Reports: Country Code and Country
# "2" - Reports: Country Code and Country and Region and City
# "3" - Reports: Country Code and Country and Region and City and ASN
# "4" - Reports: Country Code and Country and Region and City (freegeoip.net)
#
# Note: "4" does not use the MaxMind databases directly for lookups. Instead it
# uses a URL-based lookup from a third-party provider at https://freegeoip.net
# and so avoids having to download and process the large databases. Please
# visit the https://freegeoip.net and read their limitations and respect that
# this option will either cease to function or be removed by us if that site is
# abused or overloaded. ONLY use this option if you have difficulties using the
# MaxMind databases. This option is ONLY for IP lookups, NOT when using the
# CC_* options above, which will continue to use the MaxMind databases
#
CC_LOOKUPS = "1"

# Display Country Code and Country for reported IPv6 addresses using the
# MaxMind Country IPv6 Database
#
# "0" - disable
# "1" - enable and report the detail level as specified in CC_LOOKUPS
#
# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and
# PORTFLOOD
CC6_LOOKUPS = "0"

# This option tells lfd how often to retrieve the MaxMind GeoLite2 Country
# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
# days)
CC_INTERVAL = "14"

###############################################################################
# SECTION:Login Failure Blocking and Alerts
###############################################################################
# The following[*] triggers are application specific. If you set LF_TRIGGER to
# "0" the value of each trigger is the number of failures against that
# application that will trigger lfd to block the IP address
#
# If you set LF_TRIGGER to a value greater than "0" then the following[*]
# application triggers are simply on or off ("0" or "1") and the value of
# LF_TRIGGER is the total cumulative number of failures that will trigger lfd
# to block the IP address
#
# Setting the application trigger to "0" disables it
LF_TRIGGER = "0"

# If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
# "1" and the IP address will be blocked temporarily for that value in seconds.
# For example:
# LF_TRIGGER_PERM = "1" => the IP is blocked permanently
# LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
#
# If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
# in the same way as above and LF_TRIGGER_PERM serves no function
LF_TRIGGER_PERM = "1"

# To only block access to the failed application instead of a complete block
# for an ip address, you can set the following to "1", but LF_TRIGGER must be
# set to "0" with specific application[*] trigger levels also set appropriately
#
# The ports that are blocked can be configured by changing the PORTS_* options
LF_SELECT = "0"

# Send an email alert if an IP address is blocked by one of the [*] triggers
LF_EMAIL_ALERT = "1"

# [*]Enable login failure detection of sshd connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SSHD = "5"
LF_SSHD_PERM = "1"

# [*]Enable login failure detection of ftp connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_FTPD = "10"
LF_FTPD_PERM = "1"

# [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1"

# [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"

# [*]Enable login failure detection of pop3 connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = "0"
LF_POP3D_PERM = "1"

# [*]Enable login failure detection of imap connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = "0"
LF_IMAPD_PERM = "1"

# [*]Enable login failure detection of Apache .htpasswd connections
# Due to the often high logging rate in the Apache error log, you might want to
# enable this option only if you know you are suffering from attacks against
# password protected directories
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "1"

# [*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"

# [*]Enable detection of repeated BIND denied requests
# This option should be enabled with care as it will prevent blocked IPs from
# resolving any domains on the server. You might want to set the trigger value
# reasonably high to avoid this
# Example: LF_BIND = "100"
LF_BIND = "0"
LF_BIND_PERM = "1"

# [*]Enable detection of repeated suhosin ALERTs
# Example: LF_SUHOSIN = "5"
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SUHOSIN = "0"
LF_SUHOSIN_PERM = "1"

# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
# This option will block IP addresses if cxs detects a hits from the
# ModSecurity rule associated with it
#
# Note: This option takes precedence over LF_MODSEC and removes any hits
# counted towards LF_MODSEC for the cxs rule
#
# This setting should probably set very low, perhaps to 1, if you want to
# effectively block IP addresses for this trigger option
LF_CXS = "0"
LF_CXS_PERM = "1"

# [*]Enable detection of repeated Apache mod_qos rule triggers
LF_QOS = "0"
LF_QOS_PERM = "1"

# [*]Enable detection of repeated Apache symlink race condition triggers from
# the Apache patch provided by:
# http://www.mail-archive.com/[email protected]/msg55666.html
# This patch has also been included by cPanel via the easyapache option:
# "Symlink Race Condition Protection"
LF_SYMLINK = "0"
LF_SYMLINK_PERM = "1"

# [*]Enable login failure detection of webmin connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN = "0"
LF_WEBMIN_PERM = "1"

# Send an email alert if anyone logs in successfully using SSH
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SSH_EMAIL_ALERT = "1"

# Send an email alert if anyone uses su to access another account. This will
# send an email alert whether the attempt to use su was successful or not
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SU_EMAIL_ALERT = "1"

# Send an email alert if anyone accesses webmin
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_WEBMIN_EMAIL_ALERT = "1"

# Send an email alert if anyone logs in successfully to root on the console
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_CONSOLE_EMAIL_ALERT = "1"

# This option will keep track of the number of "File does not exist" errors in
# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
# seconds then the IP address will be blocked
#
# Care should be used with this option as it could generate many
# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
# so only use this option if you know you are under this type of attack
#
# A sensible setting for this would be quite high, perhaps 200
#
# To disable set to "0"
LF_APACHE_404 = "0"

# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_APACHE_404_PERM = "3600"

# This option will keep track of the number of "client denied by server
# configuration" errors in HTACCESS_LOG. If the number of hits is more than
# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
#
# Care should be used with this option as it could generate many
# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
# so only use this option if you know you are under this type of attack
#
# A sensible setting for this would be quite high, perhaps 200
#
# To disable set to "0"
LF_APACHE_403 = "0"

# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_APACHE_403_PERM = "3600"

# This option will keep track of the number of 401 failures in HTACCESS_LOG.
# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then
# the IP address will be blocked
#
# To disable set to "0"
LF_APACHE_401 = "0"

# This option is used to determine if the Apache error_log format contains the
# client port after the client IP. In Apache prior to v2.4, this was not the
# case. In Apache v2.4+ the error_log format can be configured using
# ErrorLogFormat, making the port directive optional
#
# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next
# to the client IP by default. This makes determining client IPv6 addresses
# difficult unless we know whether the port is being appended or not
#
# lfd will attempt to autodetect the correct value if this option is set to "0"
# from the httpd binary found in common locations. If it fails to find a binary
# it will be set to "2", unless specified here
#
# The value can be set here explicitly if the autodetection does not work:
# 0 - autodetect
# 1 - no port directive after client IP
# 2 - port directive after client IP
LF_APACHE_ERRPORT = "0"

# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_APACHE_401_PERM = "3600"

# This option will send an alert if the ModSecurity IP persistent storage grows
# excessively large: https://goo.gl/rGh5sF
#
# More information on cPanel servers here: https://goo.gl/vo6xTE
#
# LF_MODSECIPDB_FILE must be set to the correct location of the database file
#
# The check is performed at lfd startup and then once per hour, the template
# used is modsecipdbalert.txt
#
# Set to "0" to disable this option, otherwise it is the threshold size of the
# file to report in gigabytes, e.g. set to 5 for 5GB
LF_MODSECIPDB_ALERT = "0"

# This is the location of the persistent IP storage file on the server, e.g.:
# /var/run/modsecurity/data/ip.pag
# /var/cpanel/secdatadir/ip.pag
# /var/cache/modsecurity/ip.pag
# /usr/local/apache/conf/modsec/data/msa/ip.pag
# /var/tmp/ip.pag
# /tmp/ip.pag
LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"

# System Exploit Checking. This option is designed to perform a series of tests
# to send an alert in case a possible server compromise is detected
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 300 would seem sensible).
#
# To disable set to "0"
LF_EXPLOIT = "300"

# This comma separated list allows you to ignore tests LF_EXPLOIT performs
#
# For the SUPERUSER check, you can list usernames in csf.suignore to have them
# ignored for that test
#
# Valid tests are:
# SUPERUSER,SSHDSPAM
#
# If you want to ignore a test add it to this as a comma separated list, e.g.
# "SUPERUSER,SSHDSPAM"
LF_EXPLOIT_IGNORE = ""

# Set the time interval to track login and other LF_ failures within (seconds),
# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
LF_INTERVAL = "3600"

# This is how long the lfd process sleeps (in seconds) before processing the
# log file entries and checking whether other events need to be triggered
LF_PARSE = "5"

# This is the interval that is used to flush reports of usernames, files and
# pids so that persistent problems continue to be reported, in seconds.
# A value of 3600 seems sensible
LF_FLUSH = "3600"

# Under some circumstances iptables can fail to include a rule instruction,
# especially if more than one request is made concurrently. In this event, a
# permanent block entry may exist in csf.deny, but not in iptables.
#
# This option instructs csf to deny an already blocked IP address the number
# of times set. The downside, is that there will be multiple entries for an IP
# address in csf.deny and possibly multiple rules for the same IP address in
# iptables. This needs to be taken into consideration when unblocking such IP
# addresses.
#
# Set to "0" to disable this feature. Do not set this too high for the reasons
# detailed above (e.g. "5" should be more than enough)
LF_REPEATBLOCK = "0"

# By default csf will create both an inbound and outbound blocks from/to an IP
# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
# effective way to block IP traffic. This option instructs csf to only block
# inbound traffic from those IP's and so reduces the number of iptables rules,
# but at the expense of less effectiveness. For this reason we recommend
# leaving this option disabled
# 
# Set to "0" to disable this feature - the default
LF_BLOCKINONLY = "0"

###############################################################################
# SECTION:CloudFlare
###############################################################################
# This features provides interaction with the CloudFlare Firewall
#
# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as 
# iptables is concerned) come from the CloudFlare IP's. To counter this, an
# Apache module (mod_cloudflare) is available that obtains the true attackers
# IP from a custom HTTP header record (similar functionality is available
# for other HTTP daemons
#
# However, despite now knowing the true attacking IP address, iptables cannot
# be used to block that IP as the traffic is still coming from the CloudFlare
# servers
#
# CloudFlare have provided a Firewall feature within the user account where
# rules can be added to block, challenge or whitelist IP addresses
#
# Using the CloudFlare API, this feature adds and removes attacking IPs from
# that firewall and provides CLI (and via the UI) additional commands
#
# See /etc/csf/readme.txt for more information about this feature and the
# restrictions for its use BEFORE enabling this feature
CF_ENABLE = "0"

# This can be set to either "block" or "challenge" (see CloudFlare docs)
CF_BLOCK = "block"

# This setting determines how long the temporary block will apply within csf
# and CloudFlare, keeping them in sync
#
# Block duration in seconds - overrides perm block or time of individual blocks
# in lfd for block triggers
CF_TEMP = "3600"

###############################################################################
# SECTION:Directory Watching & Integrity 
###############################################################################
# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm
# directories for suspicious files, i.e. script exploits. If a suspicious
# file is found an email alert is sent. One alert per file per LF_FLUSH
# interval is sent
#
# To enable this feature set the following to the checking interval in seconds.
# To disable set to "0"
LF_DIRWATCH = "300"

# To remove any suspicious files found during directory watching, enable the
# following. These files will be appended to a tarball in
# /var/lib/csf/suspicious.tar
LF_DIRWATCH_DISABLE = "0"

# This option allows you to have lfd watch a particular file or directory for
# changes and should they change and email alert using watchalert.txt is sent
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 60 would seem sensible) and add your entries to csf.dirwatch
#
# Set to disable set to "0"
LF_DIRWATCH_FILE = "0"

# System Integrity Checking. This enables lfd to compare md5sums of the
# servers OS binary application files from the time when lfd starts. If the
# md5sum of a monitored file changes an alert is sent. This option is intended
# as an IDS (Intrusion Detection System) and is the last line of detection for
# a possible root compromise.
#
# There will be constant false-positives as the servers OS is updated or
# monitored application binaries are updated. However, unexpected changes
# should be carefully inspected.
#
# Modified files will only be reported via email once.
#
# To enable this feature set the following to the checking interval in seconds
# (a value of 3600 would seem sensible). This option may increase server I/O
# load onto the server as it checks system binaries.
#
# To disable set to "0"
LF_INTEGRITY = "3600"

###############################################################################
# SECTION:Distributed Attacks
###############################################################################
# Distributed Account Attack. This option will keep track of login failures
# from distributed IP addresses to a specific application account. If the
# number of failures matches the trigger value above, ALL of the IP addresses
# involved in the attack will be blocked according to the temp/perm rules above
#
# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, 
# LF_HTACCESS
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_DISTATTACK = "0"

# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTATTACK
LF_DISTATTACK_UNIQ = "2"

# Distributed FTP Logins. This option will keep track of successful FTP logins.
# If the number of successful logins to an individual account is at least
# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
# then all of the IP addresses will be blocked
#
# This option can help mitigate the common FTP account compromise attacks that
# use a distributed network of zombies to deface websites
#
# A sensible setting for this might be 5, depending on how many different
# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL
#
# To disable set to "0"
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_DISTFTP = "0"

# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
LF_DISTFTP_UNIQ = "3"

# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_DISTFTP_PERM = "1"

# Send an email alert if LF_DISTFTP is triggered
LF_DISTFTP_ALERT = "1"

# Distributed SMTP Logins. This option will keep track of successful SMTP
# logins. If the number of successful logins to an individual account is at
# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP
# addresses, then all of the IP addresses will be blocked. These options only
# apply to the exim MTA
#
# This option can help mitigate the common SMTP account compromise attacks that
# use a distributed network of zombies to send spam
#
# A sensible setting for this might be 5, depending on how many different
# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL
#
# To disable set to "0"
LF_DISTSMTP = "0"

# Set the following to the minimum number of unique IP addresses that trigger
# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
LF_DISTSMTP_UNIQ = "3"

# If this option is set to 1 the blocks will be permanent
# If this option is > 1, the blocks will be temporary for the specified number
# of seconds
LF_DISTSMTP_PERM = "1"

# Send an email alert if LF_DISTSMTP is triggered
LF_DISTSMTP_ALERT = "1"

# This is the interval during which a distributed FTP or SMTP attack is
# measured
LF_DIST_INTERVAL = "300"

# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the
# path to a script, it will run the script and pass the following as arguments:
#
# LF_DISTFTP/LF_DISTSMTP
# account name
# log file text
#
# The action script must have the execute bit and interpreter (shebang) set
LF_DIST_ACTION = ""

参考这篇文章

使用 csf 防火墙来有效阻止小规模 DDOS | 落格博客 – https://www.logcg.com/archive…

划重点

然后是添加防御规则,阻止日常少量的 ddos,当然,量大了的话还得靠硬件了对吧?
找到字段 PORTFLOOD ,做如下规则:
1
PORTFLOOD = “22;tcp;5;300,80;tcp;20;5,443;tcp;20;5”
这里规则是说分别对端口 22,80,443做策略(以IP为单位):
如果 22 端口某 IP 在 300 秒内发起 5 个以上链接,就 ban;
如果 80 或 443 端口某 IP 在 5 秒内发起 20 个以上链接,就 ban。
ban 的时间默认是 1800 秒。
然后,csf 还有个功能是在 ban 了 IP 之后发邮件通知你,我们对如下字段做修改,加入自己的邮件地址:
1
LF_ALERT_TO = “[email protected]

本文地址:H5W3 » 【nginx】站点刷新ip(网页页面)后,时不时的会出现403 forbidden,10秒钟左右,刷新又可以正常访问

评论 0

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址